NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: sshd UsePAM, PR bin/32313

On Sun, Nov 22, 2009 at 10:05:39PM +0100, Michael van Elst wrote:
> Disabling password logins for SSH can be done by replacing
> the 'auth required' clause with a 'auth required
>' clause in the PAM configuration. This leaves
> Kerberos for PAM authentication, but I guess such a configuration
> would be surprising to everyone.

No -- you *don't* want to do this -- you'll end up accepting Kerberos
passwords using ChallengeResponseAuthentication -- in other words,
you'll have effectively left password authentication enabled for any
site which uses Kerberos.

Because the SSH protocol has built-in support for Kerberos via GSSAPI,
sshd's PAM file should disable both pam_unix and pam_kerberos.  I really
think it should just do pam_deny and leave it at that -- if the admin
wants to turn on PasswordAuthentication that can be done in the sshd_config

Home | Main Index | Thread Index | Old Index