3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds
Dan Yefimov
dan at D00M.integrate.com.ru
Wed Nov 19 02:54:41 EST 2003
On Tue, 18 Nov 2003, Edgar, Bob wrote:
> First: yes, the patch disables root login for all PAM. But that's ok.
> Why? If "PermitRootLogin yes" is set then the behavior is as before. The
> patch gives an admin the choice to block all PAM/root logins (which are
> typically normal, plain vanilla, password logins). If more flexibility is
> required then the "yes" value will allow the PAM stack to decide.
>
> The PAM solution is clearly an option (thanks!) but not here (and I suspect
> many other sites as well). We have several hundred servers that would need
> to have a change to the PAM configuration. Sun doesn't supply a PAM module
> that supports the functionality required (at least, none that I am aware of)
> which means finding one or building one in-house. This option brings with it
> the usual risks with any development and is for that reason not attractive.
>
> Darren Tucker's comment about being misleading is, of course, true but I
> find
> the current state misleading as well but more dangerous. The system admin
> has
> configured the system and thinks that root logins with password are disabled
> but in fact they are not. Yes, as I acknowledged in my first post, it is
> documented so it is technically not a bug but this is the real world and I
> think the least surprises rule should apply here.
>
The current state is in no case misleading. As it was already meantioned by
Damien Miller, 'PermitRootLogin no' setting is honoured. 'PermitRootLogin
without-password' disables password authentication as such for root. But PAM is
used only if challenge-response authentication is enabled. And it is
'PermitRootLogin without-password' disabling challenge-response authentication
that is misleading. 'PermitRootLogin pubkey-only' or AllowedRootAuthMethods
options suggested by Darren Tucker would be the more appropriate general
solutions here.
--
Sincerely Your, Dan.
More information about the openssh-unix-dev
mailing list