Re: sshd UsePAM, PR bin/32313

To: Michael van Elst <mlelstv%serpens.de@localhost>
Subject: Re: sshd UsePAM, PR bin/32313
From: Thor Lancelot Simon <tls%panix.com@localhost>
Date: Sun, 22 Nov 2009 16:23:09 -0500

On Sun, Nov 22, 2009 at 10:05:39PM +0100, Michael van Elst wrote:
> 
> Disabling password logins for SSH can be done by replacing
> the 'auth required pam_unix.so' clause with a 'auth required
> pam_deny.so' clause in the PAM configuration. This leaves
> Kerberos for PAM authentication, but I guess such a configuration
> would be surprising to everyone.

No -- you *don't* want to do this -- you'll end up accepting Kerberos
passwords using ChallengeResponseAuthentication -- in other words,
you'll have effectively left password authentication enabled for any
site which uses Kerberos.

Because the SSH protocol has built-in support for Kerberos via GSSAPI,
sshd's PAM file should disable both pam_unix and pam_kerberos.  I really
think it should just do pam_deny and leave it at that -- if the admin
wants to turn on PasswordAuthentication that can be done in the sshd_config
file.

Follow-Ups:
- Re: sshd UsePAM, PR bin/32313
  - From: Michael van Elst

References:
- sshd UsePAM, PR bin/32313
  - From: Taylor R Campbell
- Re: sshd UsePAM, PR bin/32313
  - From: Michael van Elst
- Re: sshd UsePAM, PR bin/32313
  - From: Martin Husemann
- Re: sshd UsePAM, PR bin/32313
  - From: Michael van Elst

Prev by Date: Re: sshd UsePAM, PR bin/32313
Next by Date: Re: sshd UsePAM, PR bin/32313
Previous by Thread: Re: sshd UsePAM, PR bin/32313
Next by Thread: Re: sshd UsePAM, PR bin/32313
Indexes:

Home | Main Index | Thread Index | Old Index