In article <20050325161544.737E03C093F@berkshire.machshav.com>,
Steven M. Bellovin <smb@cs.columbia.edu> wrote:
>I'll freely confess that I don't understand pam.  How do I turn off ssh 
>access via a password?  I have 
>
>	PasswordAuthentication no

You remove the:

auth            required        pam_unix.so     no_warn try_first_pass

because you don't want unix password authentication.

>in sshd_config, but PAM is overriding that.  /etc/pam.d/sshd has 
>several lines that reference passwords; it isn't at all clear to me if 
>I have to change them all or not.  (What I've done for now is turn of 
>PAM in sshd_config.)  I'm particularly confused by the 'auth' versus 
>'password' entries -- the PAM documentation says that the password 
>lines are for password changing and the like, but I know of no way to 
>use ssh to change a password, so why is it there?

It is used during password expiration. I.e. if your password has
expired and requires changing it, it the pam module will do that.

>What are the >implications of pam_krb5 if I don't have Kerberos?

It will always fail.

>More generally, sshd has many authorization control mechanisms of its 
>own.  How do these interact with PAM?  The sshd_config file needs to be 
>changed so that parameters ignored if PAM is in use (such as the 
>aforementioned PasswordAuthentication line) are clearly separated from 
>those that still have power to authenticate a user.  Other services may 
>have similar issues.  For example, I note that there is a pam_ftpusers 
>module that checks against /etc/ftpusers, but there doesn't seem to be 
>anything that checks against /etc/shells.  

I agree with all those points. I'll haven't looked carefully, but I think
a pam_shell module might be a good addition (and trivial to write).

christos