Re: sshd UsePAM, PR bin/32313

To: Martin Husemann <martin%duskware.de@localhost>
Subject: Re: sshd UsePAM, PR bin/32313
From: Michael van Elst <mlelstv%serpens.de@localhost>
Date: Sun, 22 Nov 2009 22:05:39 +0100

On Sun, Nov 22, 2009 at 09:11:32PM +0100, Martin Husemann wrote:
> On Sun, Nov 22, 2009 at 09:09:55AM +0000, Michael van Elst wrote:
> > If anything this should be clearly documented, also how to configure
> > sshd to use its own authentication methods and how to disable PAM for
> > the rest of the system.
> 
> It would be better if we would ship a default sshd pam configuration that
> disabled root logins and logins via password, and documented how to enable
> them.

sshd already denies root logins by default, if you enable it
you can use pam_login_access to stop logins again with entries
in /etc/login.access. E.g.:

-:root:ALL EXCEPT ttyE0 localhost

will deny root logins except from the first wscons terminal
and remote logins from localhost.

Disabling password logins for SSH can be done by replacing
the 'auth required pam_unix.so' clause with a 'auth required
pam_deny.so' clause in the PAM configuration. This leaves
Kerberos for PAM authentication, but I guess such a configuration
would be surprising to everyone.

All this is documented but the login.access documentation is
a bit short about the syntax.

Greetings,
-- 
                                Michael van Elst
Internet: mlelstv%serpens.de@localhost
                                "A potential Snark may lurk in every tree."

Follow-Ups:
- Re: sshd UsePAM, PR bin/32313
  - From: Thor Lancelot Simon

References:
- sshd UsePAM, PR bin/32313
  - From: Taylor R Campbell
- Re: sshd UsePAM, PR bin/32313
  - From: Michael van Elst
- Re: sshd UsePAM, PR bin/32313
  - From: Martin Husemann

Prev by Date: Re: sshd UsePAM, PR bin/32313
Next by Date: Re: sshd UsePAM, PR bin/32313
Previous by Thread: Re: sshd UsePAM, PR bin/32313
Next by Thread: Re: sshd UsePAM, PR bin/32313
Indexes:

Home | Main Index | Thread Index | Old Index