openssh and pam_ldap
Damien Miller
djm at mindrot.org
Fri Apr 30 10:12:09 EST 2004
Vincent Danen wrote:
> On Apr 29, 2004, at 1:18 PM, Jason McCormick wrote:
>
>
>>>Of course, one can turn on UsePAM, but the warnings in sshd_config
>>>make me nervous. Also, running a few tests, it's a little too
>>>insecure for my liking.
>>
>> If you're going to use pam_ldap you're going to have to set UsePAM =
>>yes. Else ssh isn't going to contact your PAM stack to do anything.
>>UsePAM used to default to 'yes' until 3.8p1. If you have UsePAM = no,
>>then SSH will only try to use shadow passwords.
>
>
> I understand that, but this is my point.
>
> In 3.6, if root logins were set to "without-password", if you didn't
> have a key, you weren't prompted for a password. Now you are. And if
> you have the password, you're let in. That obviously breaks the
> "without-password" setting.
You can use pam_rootok or pam_list modules in an "auth" line of your
PAM config to deny access to root when logging in with PAM
authentication.
We accept that "PermitRootLogin without-password" is somewhat confusing
when used with PAM. We intend to clarify this before the next release,
perhaps by making PermitRootLogin accept a list of allowed
authentication mechanisms.
-d
More information about the openssh-unix-dev
mailing list