Re: sshd_config and pam...

To: tech-security%NetBSD.org@localhost
Subject: Re: sshd_config and pam...
From: Alan Barrett <apb%cequrux.com@localhost>
Date: Thu, 30 Jul 2009 09:07:31 +0200

On Wed, 29 Jul 2009, Darren Reed wrote:
> I don't know if this is known or not, but it appears that enabling PAM
> in your sshd_conf file makes entries such as "PasswordAuthentication"
> meaningless. With PAM enabled, I was able to login with ssh using a
> password even with the aforementioned setting at "no".

Right.  You were using PAM's idea of password authentication, not sshd's
idea of password authentication.

I wish there was a single setting like
"AllowedAuthentications=pubkey,kerberos" so I don't have to RTFM every
time I install a new version of ssh to find out whether I need to add
another "FooAuthentication no" line.

> Is it worthwhile adding some sort of warning to sshd that spits out a
> message of some sort about this if UsePAM is set to yes and there
> are other authentication driven directives present and not commented
> out?

I don't care either way about a warning in the syslog or stderr, but I'd
like to see clear warnings in the documentation for UsePAM.

--apb (Alan Barrett)

References:
- sshd_config and pam...
  - From: Darren Reed

Prev by Date: Re: sshd_config and pam...
Next by Date: Re: sshd_config and pam...
Previous by Thread: Re: sshd_config and pam...
Next by Thread: ssh plaintext recovery SA
Indexes:

Home | Main Index | Thread Index | Old Index