openssh and pam_ldap
Vincent Danen
vdanen at linsec.ca
Fri Apr 30 07:35:25 EST 2004
On Apr 29, 2004, at 3:04 PM, Ben Lindstrom wrote:
>>>> Of course, one can turn on UsePAM, but the warnings in sshd_config
>>>> make me nervous. Also, running a few tests, it's a little too
>>>> insecure for my liking.
>>>
>>> If you're going to use pam_ldap you're going to have to set UsePAM
>>> =
>>> yes. Else ssh isn't going to contact your PAM stack to do anything.
>>> UsePAM used to default to 'yes' until 3.8p1. If you have UsePAM =
>>> no,
>>> then SSH will only try to use shadow passwords.
>>
>> I understand that, but this is my point.
>>
>> In 3.6, if root logins were set to "without-password", if you didn't
>> have a key, you weren't prompted for a password. Now you are. And if
>> you have the password, you're let in. That obviously breaks the
>> "without-password" setting.
>>
>
> I suspect the change to the new PAM handling around 3.7 changed it.
That would sound right... the last version I used in production was
3.6.1.
>> I'm well aware of how it works... my point is, it *doesn't* work, or
>> at
>> least not as well as it used to. If PermitRootLogin is set to
>> "without-password" then PAM shouldn't even be consulted, regardless of
>> the setting of UsePAM. Older versions worked correctly in this
>> manner.
>>
>
> Sadly if it was only that simple. The problem is PAM may support other
> methods of authenifying and "Without-password" would break those as
> well.
>
> I believe there is already a PAM module to do such a thing. Which for
> the
> time being should be your solution. This has been revisited a few
> times
> lately. I would check the archives for the full thread.
My bad... I should have checked the archives a little closer before as
I missed this little gem:
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=106916818016421&w=2
Using the pam_listfile.so module works 100%. The password prompt comes
up instead of doing a drop (like it would have in the past), but I can
live with that.
--
Mandrakesoft Security; http://www.mandrakesecure.net/
Online Security Resource Book; http://linsec.ca/
"lynx -source http://linsec.ca/vdanen.asc | gpg --import"
{FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040429/4cec51fa/attachment.bin
More information about the openssh-unix-dev
mailing list