openssh and pam_ldap
Vincent Danen
vdanen at linsec.ca
Fri Apr 30 06:01:54 EST 2004
On Apr 29, 2004, at 1:18 PM, Jason McCormick wrote:
>> Of course, one can turn on UsePAM, but the warnings in sshd_config
>> make me nervous. Also, running a few tests, it's a little too
>> insecure for my liking.
>
> If you're going to use pam_ldap you're going to have to set UsePAM =
> yes. Else ssh isn't going to contact your PAM stack to do anything.
> UsePAM used to default to 'yes' until 3.8p1. If you have UsePAM = no,
> then SSH will only try to use shadow passwords.
I understand that, but this is my point.
In 3.6, if root logins were set to "without-password", if you didn't
have a key, you weren't prompted for a password. Now you are. And if
you have the password, you're let in. That obviously breaks the
"without-password" setting.
I'm well aware of how it works... my point is, it *doesn't* work, or at
least not as well as it used to. If PermitRootLogin is set to
"without-password" then PAM shouldn't even be consulted, regardless of
the setting of UsePAM. Older versions worked correctly in this manner.
--
Mandrakesoft Security; http://www.mandrakesecure.net/
Online Security Resource Book; http://linsec.ca/
"lynx -source http://linsec.ca/vdanen.asc | gpg --import"
{FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040429/901918d7/attachment.bin
More information about the openssh-unix-dev
mailing list