Subject: Re: ssh+pam letting me in inappropriately?
To: Steven M. Bellovin <>
From: Roland Dowdeswell <>
List: current-users
Date: 04/15/2005 17:03:53
On 1113535706 seconds since the Beginning of the UNIX epoch
"Steven M. Bellovin" wrote:

>This is a system built from today's sources.  I changed a few things in 
>sshd_config, to block passwords from being used, to permit X 
>forwarding, to permit root login, and to use protocol 2 only.  Per a 
>previous discussion about PAM, I deleted this line:
>	#auth           required     no_warn try_first_pass
>from /etc/rc.d/pamd.  When I tried to connect via ssh, I was prompted 
>for my RSA key; I just hit return.  (No, I don't have a null 
>passphrase.)  It let me in anyway.  This isn't good...

I assume that your PAM configuration looks someting like:

auth            required          no_warn
auth            sufficient             no_warn try_first_pass
#auth            required             no_warn try_first_pass

after your modification?

In that case, is not required to succeed.  It is not
exactly ``failing open'' because has succeeded.

PAM configuration is not exactly intuitive, IMO.

    Roland Dowdeswell                      http://www.Imrryr.ORG/~elric/