[Bug 117] New: OpenSSH second-guesses PAM

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Feb 15 09:56:26 EST 2002


           Summary: OpenSSH second-guesses PAM
           Product: Portable OpenSSH
           Version: -current
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: openssh-unix-dev at mindrot.org
        ReportedBy: abartlet at samba.org

As I described in bug 114, OpenSSH makes assumptions about how PAM operates, and
denies it acess to potentially critical information about failed logins. 

This problem occurs if you want to use PAM to obtain a consistant audit history
across all system deamons - OpenSSH traditionally would not even start PAM, and
now starts it specifying 'NOUSER' as the login name.

I feel that the correct behaviour is to always call PAM.  There are two
particular reasons:  Firstly, it ensures that PAM gets to decide that a user is
invalid, and log it appropriatly.  OpenSSH can add its own checks to the top,
but the first decision should be with PAM.

The second is to prevent username guessing attacks - by always calling PAM the
system should always suffer the same timeouts/delays no matter the existance of
the attempted login.

Another (almost certainly less convincing) reason is that it would make it
easier for sombody to write an OpenSSH based deamon that didn't service logins -
like an authenticated proxy service that uses SSH for secure transport to the
firewall.  In this case the user almost certainly doesn't exist locally, but PAM
can still be useful for authenticaion.  (OK, so this is really oddball, but my
main concern is the first two reasons).

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-unix-dev mailing list