On 1113535706 seconds since the Beginning of the UNIX epoch
"Steven M. Bellovin" wrote:
>

>This is a system built from today's sources.  I changed a few things in 
>sshd_config, to block passwords from being used, to permit X 
>forwarding, to permit root login, and to use protocol 2 only.  Per a 
>previous discussion about PAM, I deleted this line:
>
>	#auth           required        pam_unix.so     no_warn try_first_pass
>
>from /etc/rc.d/pamd.  When I tried to connect via ssh, I was prompted 
>for my RSA key; I just hit return.  (No, I don't have a null 
>passphrase.)  It let me in anyway.  This isn't good...

I assume that your PAM configuration looks someting like:

auth            required        pam_nologin.so          no_warn
auth            sufficient      pam_krb5.so             no_warn try_first_pass
#auth            required        pam_unix.so             no_warn try_first_pass

after your modification?

In that case, pam_krb5.so is not required to succeed.  It is not
exactly ``failing open'' because pam_nologin.so has succeeded.

PAM configuration is not exactly intuitive, IMO.

--
    Roland Dowdeswell                      http://www.Imrryr.ORG/~elric/