Subject: Re: ssh+pam letting me in inappropriately?
To: Steven M. Bellovin <firstname.lastname@example.org>
From: Roland Dowdeswell <email@example.com>
Date: 04/15/2005 17:03:53
On 1113535706 seconds since the Beginning of the UNIX epoch
"Steven M. Bellovin" wrote:
>This is a system built from today's sources. I changed a few things in
>sshd_config, to block passwords from being used, to permit X
>forwarding, to permit root login, and to use protocol 2 only. Per a
>previous discussion about PAM, I deleted this line:
> #auth required pam_unix.so no_warn try_first_pass
>from /etc/rc.d/pamd. When I tried to connect via ssh, I was prompted
>for my RSA key; I just hit return. (No, I don't have a null
>passphrase.) It let me in anyway. This isn't good...
I assume that your PAM configuration looks someting like:
auth required pam_nologin.so no_warn
auth sufficient pam_krb5.so no_warn try_first_pass
#auth required pam_unix.so no_warn try_first_pass
after your modification?
In that case, pam_krb5.so is not required to succeed. It is not
exactly ``failing open'' because pam_nologin.so has succeeded.
PAM configuration is not exactly intuitive, IMO.
Roland Dowdeswell http://www.Imrryr.ORG/~elric/