Does a known security issue allow ssh login via system accounts?
Damien Miller
djm at mindrot.org
Tue Mar 8 10:12:01 AEDT 2022
On Mon, 7 Mar 2022, Whit Blauvelt wrote:
> On Tue, 03/01/22, 2022 at 09:45:04AM +1100, Damien Miller wrote:
>
> > It sounds like you have already verified that your PAM configuration was
> > not tampered with, so that removes one possibility. Reviewing the Ubuntu
> > PAM configurations and the patches they apply to sshd seem to be prudent
> > next steps.
>
> Found the culprit: me. I was stupid enough to install and configure for
> libpam-google-auth, given a company mandate to 2FA all connections with
> admin access, where it wasn't in scope to add 2FA to all client accounts. If
> there's existing documentation anywhere on how dangerous this is, it's not
> in libpam-google-auth's own docs, nor in the recipes scattered across the
> net.
(off-list)
If you're able to share details of what went wrong, then please let me
know and I'll make sure they get back to the developers of this module.
-d
More information about the openssh-unix-dev
mailing list