pam_ssh problems
Jose M Rodriguez
josemi at freebsd.jazztel.es
Wed May 18 13:06:42 GMT 2005
El Miércoles, 18 de Mayo de 2005 14:58, Daniel O'Connor escribió:
> I have used pam_ssh before, and I have the following in
> /etc/pam.d/system :- # auth
> auth sufficient pam_opie.so no_warn
> no_fake_prompts auth requisite pam_opieaccess.so
> no_warn allow_local #auth sufficient pam_krb5.so
> no_warn try_first_pass #auth sufficient
> pam_ldap.so no_warn try_first_pass auth
> sufficient pam_ssh.so no_warn try_first_pass auth
> required pam_unix.so no_warn
> try_first_pass nullok
>
> (ie what the committed version suggests).
>
> Just recently (last week or so) I have noticed that pam_ssh will let
> me login with _any_ password (empty, or just plain wrong)! :(
>
> If I get the passphrase wrong I login, but the key is not added to
> the agent (at least something is right :) It didn't used to do this
> however..
>
> I just found that I had made a id_rsa file for testing purposes with
> no passphrase on it. While that was a little dumb it seems very odd
> that pam_ssh would let me in with any password - I think it would
> make more sense to reject keys with no passphrase for authenitcation
> (with say a nullok option).
>
> I think I'll work on a patch.
>
> Basically this is a heads up for anyone else that uses pam_ssh to be
> a bit careful :)
I use this, but not for login/auth, only for get the agent running with
the keys decripted (same passwd used).
--
josemi
--- /etc/pam.d/login ---
#
# $FreeBSD: src/etc/pam.d/login,v 1.16 2003/06/14 12:35:05 des Exp $
#
# PAM configuration for the "login" service
#
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_self.so no_warn
auth include system
auth optional pam_ssh.so use_first_pass
# account
account requisite pam_securetty.so
account include system
# session
session include system
session optional pam_ssh.so want_agent
# password
password include system
More information about the freebsd-hackers
mailing list