pam_ssh problems
Daniel O'Connor
doconnor at gsoft.com.au
Wed May 18 12:58:53 GMT 2005
I have used pam_ssh before, and I have the following in /etc/pam.d/system :-
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ldap.so no_warn try_first_pass
auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok
(ie what the committed version suggests).
Just recently (last week or so) I have noticed that pam_ssh will let me
login with _any_ password (empty, or just plain wrong)! :(
If I get the passphrase wrong I login, but the key is not added to
the agent (at least something is right :) It didn't used to do this
however..
I just found that I had made a id_rsa file for testing purposes with no
passphrase on it. While that was a little dumb it seems very odd that
pam_ssh would let me in with any password - I think it would make
more sense to reject keys with no passphrase for authenitcation (with
say a nullok option).
I think I'll work on a patch.
Basically this is a heads up for anyone else that uses pam_ssh to be
a bit careful :)
--
Daniel O'Connor software and network engineer
for Genesis Software - http://www.gsoft.com.au
"The nice thing about standards is that there
are so many of them to choose from."
-- Andrew Tanenbaum
GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20050518/452899d5/attachment.bin
More information about the freebsd-hackers
mailing list