In message <20050415210353.41C363703B@arioch.imrryr.org>, Roland Dowdeswell wri
tes:
>On 1113535706 seconds since the Beginning of the UNIX epoch
>"Steven M. Bellovin" wrote:
>>
>
>>This is a system built from today's sources.  I changed a few things in 
>>sshd_config, to block passwords from being used, to permit X 
>>forwarding, to permit root login, and to use protocol 2 only.  Per a 
>>previous discussion about PAM, I deleted this line:
>>
>>	#auth           required        pam_unix.so     no_warn try_first_pass
>>
>>from /etc/rc.d/pamd.  When I tried to connect via ssh, I was prompted 
>>for my RSA key; I just hit return.  (No, I don't have a null 
>>passphrase.)  It let me in anyway.  This isn't good...
>
>I assume that your PAM configuration looks someting like:
>
>auth            required        pam_nologin.so          no_warn
>auth            sufficient      pam_krb5.so             no_warn try_first_pass
>#auth            required        pam_unix.so             no_warn try_first_pas
>s
>
>after your modification?
>
>In that case, pam_krb5.so is not required to succeed.  It is not
>exactly ``failing open'' because pam_nologin.so has succeeded.
>
>PAM configuration is not exactly intuitive, IMO.

Yah...

Yes, that's what I have.  In other words, I need to change the 
"sufficient" on the krb5 line to "required"?  Bear in mind that I don't 
have Kerberos.

		--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb