Subject: Re: ssh+pam letting me in inappropriately?
To: Roland Dowdeswell <>
From: Steven M. Bellovin <>
List: current-users
Date: 04/16/2005 10:34:37
In message <>, Roland Dowdeswell wri
>On 1113535706 seconds since the Beginning of the UNIX epoch
>"Steven M. Bellovin" wrote:
>>This is a system built from today's sources.  I changed a few things in 
>>sshd_config, to block passwords from being used, to permit X 
>>forwarding, to permit root login, and to use protocol 2 only.  Per a 
>>previous discussion about PAM, I deleted this line:
>>	#auth           required     no_warn try_first_pass
>>from /etc/rc.d/pamd.  When I tried to connect via ssh, I was prompted 
>>for my RSA key; I just hit return.  (No, I don't have a null 
>>passphrase.)  It let me in anyway.  This isn't good...
>I assume that your PAM configuration looks someting like:
>auth            required          no_warn
>auth            sufficient             no_warn try_first_pass
>#auth            required             no_warn try_first_pas
>after your modification?
>In that case, is not required to succeed.  It is not
>exactly ``failing open'' because has succeeded.
>PAM configuration is not exactly intuitive, IMO.


Yes, that's what I have.  In other words, I need to change the 
"sufficient" on the krb5 line to "required"?  Bear in mind that I don't 
have Kerberos.

		--Prof. Steven M. Bellovin,