openssh and pam_ldap
Ben Lindstrom
mouring at etoh.eviladmin.org
Fri Apr 30 07:04:25 EST 2004
On Thu, 29 Apr 2004, Vincent Danen wrote:
>
> On Apr 29, 2004, at 1:18 PM, Jason McCormick wrote:
>
> >> Of course, one can turn on UsePAM, but the warnings in sshd_config
> >> make me nervous. Also, running a few tests, it's a little too
> >> insecure for my liking.
> >
> > If you're going to use pam_ldap you're going to have to set UsePAM =
> > yes. Else ssh isn't going to contact your PAM stack to do anything.
> > UsePAM used to default to 'yes' until 3.8p1. If you have UsePAM = no,
> > then SSH will only try to use shadow passwords.
>
> I understand that, but this is my point.
>
> In 3.6, if root logins were set to "without-password", if you didn't
> have a key, you weren't prompted for a password. Now you are. And if
> you have the password, you're let in. That obviously breaks the
> "without-password" setting.
>
I suspect the change to the new PAM handling around 3.7 changed it.
> I'm well aware of how it works... my point is, it *doesn't* work, or at
> least not as well as it used to. If PermitRootLogin is set to
> "without-password" then PAM shouldn't even be consulted, regardless of
> the setting of UsePAM. Older versions worked correctly in this manner.
>
Sadly if it was only that simple. The problem is PAM may support other
methods of authenifying and "Without-password" would break those as
well.
I believe there is already a PAM module to do such a thing. Which for the
time being should be your solution. This has been revisited a few times
lately. I would check the archives for the full thread.
- Ben
More information about the openssh-unix-dev
mailing list