NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

bin/41812: sshd config enables both password *and* pam (keyboard-interactive)

>Number:         41812
>Category:       bin
>Synopsis:       as shipped, sshd enables both password and PAM. thus securing 
>requires turning off both.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          doc-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Aug 04 07:30:00 +0000 2009
>Originator:     George Michaelson
>Release:        NetBSD 5.0
System: NetBSD sploid 5.0 NetBSD 5.0 (GENERIC) #0: Sun Apr 26 18:50:08 UTC 2009
Architecture: i386
Machine: i386
ok. So, I decided to enable SSH key-only access back to my home host. But, it 
turns out that you can't disable password login with one sshd_config change: 
you have to BOTH disable PAM and the password entry. Because, one is 'password' 
and the other is 'keyboard-interactive' (duh! like, is that not the same thing?)
        run a 5.0 install, try and disable ssh login access with password
man sshd | grep eyboard-interactive             no match
man sshd_config | grep eyboard-interactive      no match
man sshd | grep -i pam                          no match
man sshd_config | grep -i pam                   no match

Hmm. so, the default turns ON pam, but, doesn't document the implications?

I'd suggest something like:

        By default, sshd is shipped in NetBSD 5.0 with password login accepted
        from both PAM and normal login processing. If you want a more secure
        sshd, you should probably restrict it to key-based authentication only.

        To disable password login, you must define BOTH the 

                PasswordAuthentication no
                UsePam no

        settings in /etc/sshd/sshd_config


Home | Main Index | Thread Index | Old Index