Subject: Re: ssh+pam letting me in inappropriately?
To: Steven M. Bellovin <firstname.lastname@example.org>
From: Daniel Carosone <email@example.com>
Date: 04/15/2005 14:00:02
Content-Type: text/plain; charset=us-ascii
On Thu, Apr 14, 2005 at 11:28:26PM -0400, Steven M. Bellovin wrote:
> I assume I'm doing something wrong, but sshd with PAM enabled let me=20
> log in with no authentication, when it shouldn't have as best I can=20
This looks like the classic pam "fail open" case. None of the 2 auth
methods you had pam try (nologin, krb5) rejected the login, and it ran
off the end of the list and failed open.
I thought our pam code had been fixed not to do this, as well as not
to fail open when a chain was empty. Perhaps only the latter has been
done so far?
The trap is that the required pam_unix you commented out is no longer
there to fail, and refuse sshd a login via PAM.
At least, that's what I assume from my very limited understanding of
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (NetBSD)
-----END PGP SIGNATURE-----