NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: sshd UsePAM, PR bin/32313

On Sun, Nov 22, 2009 at 09:11:32PM +0100, Martin Husemann wrote:
> On Sun, Nov 22, 2009 at 09:09:55AM +0000, Michael van Elst wrote:
> > If anything this should be clearly documented, also how to configure
> > sshd to use its own authentication methods and how to disable PAM for
> > the rest of the system.
> It would be better if we would ship a default sshd pam configuration that
> disabled root logins and logins via password, and documented how to enable
> them.

sshd already denies root logins by default, if you enable it
you can use pam_login_access to stop logins again with entries
in /etc/login.access. E.g.:

-:root:ALL EXCEPT ttyE0 localhost

will deny root logins except from the first wscons terminal
and remote logins from localhost.

Disabling password logins for SSH can be done by replacing
the 'auth required' clause with a 'auth required' clause in the PAM configuration. This leaves
Kerberos for PAM authentication, but I guess such a configuration
would be surprising to everyone.

All this is documented but the login.access documentation is
a bit short about the syntax.

                                Michael van Elst
                                "A potential Snark may lurk in every tree."

Home | Main Index | Thread Index | Old Index