Subject: Re: ssh+pam letting me in inappropriately?
To: Steven M. Bellovin <>
From: Daniel Carosone <>
List: current-users
Date: 04/15/2005 14:00:02
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Apr 14, 2005 at 11:28:26PM -0400, Steven M. Bellovin wrote:
> I assume I'm doing something wrong, but sshd with PAM enabled let me=20
> log in with no authentication, when it shouldn't have as best I can=20
> tell.

This looks like the classic pam "fail open" case.  None of the 2 auth
methods you had pam try (nologin, krb5) rejected the login, and it ran
off the end of the list and failed open.

I thought our pam code had been fixed not to do this, as well as not
to fail open when a chain was empty. Perhaps only the latter has been
done so far?

The trap is that the required pam_unix you commented out is no longer
there to fail, and refuse sshd a login via PAM.

At least, that's what I assume from my very limited understanding of


Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.4.0 (NetBSD)