Subject: Re: ssh+pam letting me in inappropriately?
To: Roland Dowdeswell <firstname.lastname@example.org>
From: Steven M. Bellovin <email@example.com>
Date: 04/16/2005 10:34:37
In message <20050415210353.41C363703B@arioch.imrryr.org>, Roland Dowdeswell wri
>On 1113535706 seconds since the Beginning of the UNIX epoch
>"Steven M. Bellovin" wrote:
>>This is a system built from today's sources. I changed a few things in
>>sshd_config, to block passwords from being used, to permit X
>>forwarding, to permit root login, and to use protocol 2 only. Per a
>>previous discussion about PAM, I deleted this line:
>> #auth required pam_unix.so no_warn try_first_pass
>>from /etc/rc.d/pamd. When I tried to connect via ssh, I was prompted
>>for my RSA key; I just hit return. (No, I don't have a null
>>passphrase.) It let me in anyway. This isn't good...
>I assume that your PAM configuration looks someting like:
>auth required pam_nologin.so no_warn
>auth sufficient pam_krb5.so no_warn try_first_pass
>#auth required pam_unix.so no_warn try_first_pas
>after your modification?
>In that case, pam_krb5.so is not required to succeed. It is not
>exactly ``failing open'' because pam_nologin.so has succeeded.
>PAM configuration is not exactly intuitive, IMO.
Yes, that's what I have. In other words, I need to change the
"sufficient" on the krb5 line to "required"? Bear in mind that I don't
--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb