openssh and pam_ldap
Vincent Danen
vdanen at linsec.ca
Fri Apr 30 10:17:48 EST 2004
On Apr 29, 2004, at 6:12 PM, Damien Miller wrote:
>>>> Of course, one can turn on UsePAM, but the warnings in sshd_config
>>>> make me nervous. Also, running a few tests, it's a little too
>>>> insecure for my liking.
>>>
>>> If you're going to use pam_ldap you're going to have to set UsePAM =
>>> yes. Else ssh isn't going to contact your PAM stack to do anything.
>>> UsePAM used to default to 'yes' until 3.8p1. If you have UsePAM =
>>> no,
>>> then SSH will only try to use shadow passwords.
>>
>>
>> I understand that, but this is my point.
>>
>> In 3.6, if root logins were set to "without-password", if you didn't
>> have a key, you weren't prompted for a password. Now you are. And if
>> you have the password, you're let in. That obviously breaks the
>> "without-password" setting.
>
> You can use pam_rootok or pam_list modules in an "auth" line of your
> PAM config to deny access to root when logging in with PAM
> authentication.
Yeah, I'm using pam_listfile.so and it works just as well.
> We accept that "PermitRootLogin without-password" is somewhat confusing
> when used with PAM. We intend to clarify this before the next release,
> perhaps by making PermitRootLogin accept a list of allowed
> authentication mechanisms.
Sounds good. The without-password+UsePAM=yes+pam_listfile.so
combination works pretty good tho, so no complaints from me.
Keep up the good work. =)
--
Mandrakesoft Security; http://www.mandrakesecure.net/
Online Security Resource Book; http://linsec.ca/
"lynx -source http://linsec.ca/vdanen.asc | gpg --import"
{FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040429/e2d8a9a6/attachment.bin
More information about the openssh-unix-dev
mailing list