Subject: Re: ssh+pam letting me in inappropriately?
To: Steven M. Bellovin <smb@cs.columbia.edu>
From: Daniel Carosone <dan@geek.com.au>
List: current-users
Date: 04/15/2005 14:00:02
--maH1Gajj2nflutpK
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Apr 14, 2005 at 11:28:26PM -0400, Steven M. Bellovin wrote:
> I assume I'm doing something wrong, but sshd with PAM enabled let me=20
> log in with no authentication, when it shouldn't have as best I can=20
> tell.

This looks like the classic pam "fail open" case.  None of the 2 auth
methods you had pam try (nologin, krb5) rejected the login, and it ran
off the end of the list and failed open.

I thought our pam code had been fixed not to do this, as well as not
to fail open when a chain was empty. Perhaps only the latter has been
done so far?

The trap is that the required pam_unix you commented out is no longer
there to fail, and refuse sshd a login via PAM.

At least, that's what I assume from my very limited understanding of
PAM.

--
Dan.

--maH1Gajj2nflutpK
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (NetBSD)

iD8DBQFCXzxBEAVxvV4N66cRAvl9AJ9dGN5FYCv8fQfpZ4iXi7pls0NWoQCeNfoq
X3+PM2Sb7QogXNsoo+4dMok=
=ZRrG
-----END PGP SIGNATURE-----

--maH1Gajj2nflutpK--