PAM configuration

Pekka Savola pekkas at netcore.fi
Wed Dec 27 22:02:19 EST 2000 

On Wed, 27 Dec 2000, Damien Miller wrote:

> On Wed, 27 Dec 2000, Pekka Savola wrote:
>
> > > - Does FreeBSD and other systems where PAM is a port or addon still
> > > use /etc/pam.d?
> >
> > FreeBSD (as of 4.2) uses only /etc/pam.conf.
>
> Does it include usable defaults (i.e. ones that will allow password
> auth to proceed) when no explicit configuration is found?

[pam-list snipped]

Nope.  Nothing relating to 'sshd', so incoming connections fail:

---
Dec 27 12:42:48 gap sshd[16503]: no modules loaded for `sshd' service
Dec 27 12:42:56 gap sshd[16504]: no modules loaded for `sshd' service
Dec 27 12:42:56 gap sshd[16504]: fatal: PAM session setup failed[6]:
Permission denied
---

FreeBSD OpenSSH is based on OpenBSD version directly, IIRC.

On Dec 5, OpenSSH 2.3.0 with PAM support was merged in FreeBSD-5.0 CVS
tree, see e.g.:

http://www.FreeBSD.org/cgi/cvsweb.cgi/src/crypto/openssh/sshd.c

It still requires modifications for pam.conf, though.

Btw,

Also I noticed there is a 'ConnectionsPerPeriod' option for sshd which
allows ratelimiting (conns/sec) for incoming connections.  I don't think
this has been upstreamed.  The man page gives the following info:
---
     ConnectionsPerPeriod
             This keyword allows for rate-limiting of connections, and is fol-
             lowed by two numbers in the format ``n/s'', where n is the number
             of connections from a certain address group accepted per period
             of s seconds.  Any connection after the number n connection in
             the period of s seconds will be dropped, and an informational
             message will be logged.  A connection will belong to a certain
             group, of which there are 13 by default, according to its IP ad-
             dress.  The default for this keyword is ``0/0'', and rate-limit-
             ing can be explicitly turned off by using an n parameter of `0'
             and any s parameter.
---

These were inherited a long time ago from
/usr/ports/security/openssh/files/patch-a{o,p,r}, it seems.  I can send
these over if there's interest.

-- 
Pekka Savola                    "Tell me of difficulties surmounted,
Netcore Oy                      not those you stumble over and fall"
Systems. Networks. Security.     -- Robert Jordan: A Crown of Swords

More information about the openssh-unix-dev mailing list