Does a known security issue allow ssh login via system accounts?
Whit Blauvelt
whit at transpect.com
Tue Mar 8 03:14:52 AEDT 2022
On Tue, 03/01/22, 2022 at 09:45:04AM +1100, Damien Miller wrote:
> It sounds like you have already verified that your PAM configuration was
> not tampered with, so that removes one possibility. Reviewing the Ubuntu
> PAM configurations and the patches they apply to sshd seem to be prudent
> next steps.
Found the culprit: me. I was stupid enough to install and configure for
libpam-google-auth, given a company mandate to 2FA all connections with
admin access, where it wasn't in scope to add 2FA to all client accounts. If
there's existing documentation anywhere on how dangerous this is, it's not
in libpam-google-auth's own docs, nor in the recipes scattered across the
net.
I've found no way yet to tweak it to be safe that I can be sure of, short of
running a separate sshd on another port for it. Has there been consideration
of adding 2FA to OpenSSH that doesn't require enabling PAM? Public keys and
IP restrictions seem enough to me. Yet my corporate overlord is required by
their insurance firm to use 2FA. To satisfy that demand, I compromised
security with the badly documented libpam-google-auth -- as if a firm that
can't even secure their flagship browser should be trusted on security.
Stupid me,
Whit
More information about the openssh-unix-dev
mailing list