Proposal to add a DisableAuthentication option to sshd ServerOptions
Peter Moody
mindrot at hda3.com
Fri Jun 28 03:58:09 AEST 2024
see pam_permit(8)
On Thu, Jun 27, 2024 at 10:37 AM Henry Qin <hq6 at cs.stanford.edu> wrote:
>
> When I looked at `man pam_unix`, I did not see any obvious options that
> would
> cause ssh to authenticate without prompting for a password at all, short of
> setting an empty password which is similar to PermitEmptyPasswords option.
>
> However, I am not very familiar with the internals of PAM, so pointers to
> documentation would be greatly appreciated.
>
> Also, I think adding a single line to sshd_config is simpler for most users
> to
> do correctly than configuring an alternate PAM stack without breaking their
> primary sshd setup, which is why I think the patch may still be useful.
>
> On Thu, Jun 27, 2024 at 7:57 AM Carson Gaspar <carson at taltos.org> wrote:
>
> > On 6/26/2024 9:34 PM, Henry Qin wrote:
> > > Hi folks,
> > >
> > > I've recently started to work on a patch for openssh that introduces a
> > new
> > > option to disable authentication.
> > > I'd like to explain why I think this might be generally useful, and
> > solicit
> > > opinions on whether such a patch would be acceptable to the maintainers
> > as
> > > a pull request.
> >
> > Why not just use a different PAM stack? The new release allows
> > specifying the stack name. This should do what you want with no code
> > changes using Password / KbdInteractive AuthN.
> >
> > --
> >
> > Carson
> >
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> >
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
More information about the openssh-unix-dev
mailing list