Proposal to add a DisableAuthentication option to sshd ServerOptions

Peter Moody mindrot at hda3.com
Fri Jun 28 07:49:33 AEST 2024 

i'm not a maintainer, but my personal opinion is that it's probably
easier to prepare a container with this pam configuration

On Thu, Jun 27, 2024 at 2:26 PM Henry Qin <hq6 at cs.stanford.edu> wrote:
>
> Thanks for the pointer!
> I played around with PamServiceName set to 'sshd_disable_auth' and got it working with the minimum contents below in the file /etc/pam.d/sshd_disable_auth.
>
> auth required pam_permit.so
> account required pam_permit.so
> session required pam_permit.so
>
> Thus, this does indeed enable disabling authentication.
>
> Unfortunately, as far as I can tell, only root can create files in /etc/pam.d in most default system configurations.
> Moreover, it is somewhat common to disallow root in an actual deployed environment.
>
> That means that this approach is infeasible when running sshd as an ordinary user, both generally and in deployed environments, unless the container or deployed VM already has a pam configuration file such as /etc/pam.d/sshd_disable_auth deployed with it.
>
> Thus, I'm still interested in your opinions on the proposed patch, which would grant more flexibility to ordinary users, and allow ad hoc usage in deployed scenarios without having to prepare a container with a bespoke pam configuration file.
>
> ~Henry
>
> On Thu, Jun 27, 2024 at 10:58 AM Peter Moody <mindrot at hda3.com> wrote:
>>
>> see pam_permit(8)
>>
>>
>> On Thu, Jun 27, 2024 at 10:37 AM Henry Qin <hq6 at cs.stanford.edu> wrote:
>> >
>> > When I  looked at `man pam_unix`, I did not see any obvious options that
>> > would
>> > cause ssh to authenticate without prompting for a password at all, short of
>> > setting an empty password which is similar to PermitEmptyPasswords option.
>> >
>> > However, I am not very familiar with the internals of PAM, so pointers to
>> > documentation would be greatly appreciated.
>> >
>> > Also, I think adding a single line to sshd_config is simpler for most users
>> > to
>> > do correctly than configuring an alternate PAM stack without breaking their
>> > primary sshd setup, which is why I think the patch may still be useful.
>> >
>> > On Thu, Jun 27, 2024 at 7:57 AM Carson Gaspar <carson at taltos.org> wrote:
>> >
>> > > On 6/26/2024 9:34 PM, Henry Qin wrote:
>> > > > Hi folks,
>> > > >
>> > > > I've recently started to work on a patch for openssh that introduces a
>> > > new
>> > > > option to disable authentication.
>> > > > I'd like to explain why I think this might be generally useful, and
>> > > solicit
>> > > > opinions on whether such a patch would be acceptable to the maintainers
>> > > as
>> > > > a pull request.
>> > >
>> > > Why not just use a different PAM stack? The new release allows
>> > > specifying the stack name. This should do what you want with no code
>> > > changes using Password / KbdInteractive AuthN.
>> > >
>> > > --
>> > >
>> > > Carson
>> > >
>> > > _______________________________________________
>> > > openssh-unix-dev mailing list
>> > > openssh-unix-dev at mindrot.org
>> > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>> > >
>> > _______________________________________________
>> > openssh-unix-dev mailing list
>> > openssh-unix-dev at mindrot.org
>> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

More information about the openssh-unix-dev mailing list