openssh and pam_ldap

Vincent Danen vdanen at linsec.ca
Fri Apr 30 04:23:10 EST 2004 

An observation and a question on the new version of OpenSSH.  With 
previous version of OpenSSH, using something like pam_ldap to 
authenticate users against an LDAP directory worked great, however with 
3.8p1 this is no longer the case.  If I try to log into a machine with 
an account under "LDAP's control", I always get password failures.  
However, using an account with a ssh key associated with it works fine, 
even if the user is a LDAP user.  It seems to me like there is a 
miscommunication with PAM here.

Of course, one can turn on UsePAM, but the warnings in sshd_config make 
me nervous.  Also, running a few tests, it's a little too insecure for 
my liking.  For instance:

- PermitRootLogin without-password is rendered obsolete when UsePAM is 
set to yes; a user connecting without a matching ssh key gets a 
password prompt and if they provide the right password, they get access

- PasswordAuthentication no is also rendered obsolete when UsePAM is 
enabled with the same consequences as above, although realistically 
this isn't that big of a deal (if you have password auth set to no, you 
don't need UsePAM on when you can connect to an LDAP-auth'd account 
using an ssh key without UsePAM's help)

My major concern here is with the PermitRootLogin.  I can very much see 
situations where the server is using LDAP for auth and direct root 
logins are only desirable for things like backups and whatnot, or for 
admins who shouldn't be trusted with the root password but instead have 
a key.  Sure, if they don't have the password, and don't have the key, 
they still can't get in, but if they do have the password, but don't 
have a key, before they couldn't get access.  Now they can.

Is there some way that, if PermitRootLogin is set in some way to a 
non-password auth method, that regardless of the setting of UsePAM, 
password authentication is not attempted?  For instance, if it's set to 
without-password, why is it even giving the user the chance to enter a 
password?  At least if it's set to "no", they're offered the password 
prompt but even with the right password can't get in (sshd logs "PAM:  
Authentication Failure).  Can the same not be done with the 
"without-password" option?

Thanks.

-- 
OpenSLS - Secure Linux Server: http://opensls.org/
"lynx -source http://linsec.ca/vdanen.asc | gpg --import"
{FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7  66F9 2043 D0E5 FE6F 2AFD}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040429/73b84c67/attachment.bin

More information about the openssh-unix-dev mailing list