[Bug 559] PAM fixes
Darren J Moffat
Darren.Moffat at Sun.COM
Wed May 14 06:43:52 EST 2003
On Tue, 13 May 2003, Damien Miller wrote:
> Darren J Moffat wrote:
> > On Mon, 12 May 2003, Damien Miller wrote:
> >
> >> The PAM stuff is IMO separate - one may disable empty passwords by
> >> omitting the "nullok" flag to pam_unix.so in the PAM control file.
> >
> > That is an argument specific to one vendors implementation of a specific module.
> > There is (and probably should not be) any standardization of the arguments
> > modules take. Some vendors my choose to standardize options across modules
> > they implement but it is certainly not required.
>
> Ok, but the point was that control over the behaviour of PAM modules and
> what they accept should be done in the PAM control file and not in
> sshd_config.
In general yes, but for "empty" passwords there is an explicity flag for
pam_authenticate(3pam) PAM_DISALLOW_NULL_AUTHTOK.
Personally I think this is the wrong level of abstraction and if there
is ever a version 2 of PAM I would hope to remove this because it is
individual module policy that should be used here.
--
Darren J Moffat
More information about the openssh-unix-dev
mailing list