openssh and pam_ldap

Ben Lindstrom mouring at etoh.eviladmin.org
Fri Apr 30 07:04:25 EST 2004



On Thu, 29 Apr 2004, Vincent Danen wrote:

>
> On Apr 29, 2004, at 1:18 PM, Jason McCormick wrote:
>
> >> Of course, one can turn on UsePAM, but the warnings in sshd_config
> >> make me nervous.  Also, running a few tests, it's a little too
> >> insecure for my liking.
> >
> >   If you're going to use pam_ldap you're going to have to set UsePAM =
> > yes.  Else ssh isn't going to contact your PAM stack to do anything.
> > UsePAM used to default to 'yes' until 3.8p1.  If you have UsePAM = no,
> > then SSH will only try to use shadow passwords.
>
> I understand that, but this is my point.
>
> In 3.6, if root logins were set to "without-password", if you didn't
> have a key, you weren't prompted for a password.  Now you are.  And if
> you have the password, you're let in.  That obviously breaks the
> "without-password" setting.
>

I suspect the change to the new PAM handling around 3.7 changed it.

> I'm well aware of how it works... my point is, it *doesn't* work, or at
> least not as well as it used to.  If PermitRootLogin is set to
> "without-password" then PAM shouldn't even be consulted, regardless of
> the setting of UsePAM.  Older versions worked correctly in this manner.
>

Sadly if it was only that simple.  The problem is PAM may support other
methods of authenifying and "Without-password" would break those as
well.

I believe there is already a PAM module to do such a thing.  Which for the
time being should be your solution.   This has been revisited a few times
lately.  I would check the archives for the full thread.

- Ben




More information about the openssh-unix-dev mailing list