3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds
Markus Friedl
markus at openbsd.org
Wed Nov 19 03:16:06 EST 2003
On Wed, Nov 19, 2003 at 01:09:18AM +1100, Darren Tucker wrote:
> "Edgar, Bob" wrote:
> >
> > It works for the "yes" case but not for the "without-password" case.
> > The function that checks (auth_root_allowed(auth_method) is special
> > cased for "password". The Pam case sends "keyboard-interactive/pam"
> > which like all other authentication methods except password succeeds.
> >
> > Here is a patch to make it work for me. Please feel free to criticize
> > as appropriate.
> [snip patch]
>
> The catch is PAM might not use any kind of password, it might use a
> super-secure two-factor authentication or something. In that case,
> "without-password" would be misleading.
>
> Maybe we need a more general "AllowedRootAuthMethods" option? Maybe not.
> Perhaps "PermitRootLogin pubkey-only"?
IMHO it's PAM's job to control access if PAM is used.
More information about the openssh-unix-dev
mailing list