From owner-cvs-all Mon Mar 6 18:35: 5 2000 Delivered-To: cvs-all@freebsd.org Received: from tempest.waterspout.com (tempest.waterspout.com [208.13.56.2]) by hub.freebsd.org (Postfix) with ESMTP id 73EF537BB5D; Mon, 6 Mar 2000 18:34:56 -0800 (PST) (envelope-from ajk@iu.edu) Received: from localhost (ajk@localhost) by tempest.waterspout.com (8.9.3/8.9.3) with ESMTP id VAA10198; Mon, 6 Mar 2000 21:29:53 -0500 (EST) (envelope-from ajk@iu.edu) Date: Mon, 6 Mar 2000 21:29:46 -0500 (EST) From: "Andrew J. Korty" X-Sender: ajk@tempest.waterspout.com To: Peter Wemm Cc: Adrian Pavlykevych , cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/lib/libpam/modules/pam_ssh Makefile In-Reply-To: <20000307011635.C845D1CDE@overcee.netplex.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > "Andrew J. Korty" wrote: > > > Make pam_ssh work. It had an undefined symbol when it was > > > dlopen()ed. I'm not quite sure about this, I think it should be > > > using -lssh_pic since it's being linked into a .so, but nothing > > > seems to complain ahd it does work. (well, it works for using > > > the authorized_keys file, but I have not figured out how to get > > > it to start a ssh-agent and cache the key for me) > > > > Do you have this line in /etc/pam.conf? > > No, there were no examples. The thought never occurred to have a go > at xdm. :-) I was trying to use 'login'. The login program doesn't use the PAM session layer, probably because there is no underlying program running during the session as there is with XDM, so there would be no way to close the PAM session. > > xdm session optional pam_ssh.so > > > > Btw, we should really put some example lines in the default pam.conf file > > along the lines of > > > > xdm auth sufficient pam_skey.so > > xdm auth requisite pam_cleartext_pass_ok.so > > xdm auth sufficient pam_ssh.so try_first_pass > > xdm auth required pam_unix.so try_first_pass > > xdm account required pam_unix.so > > xdm session optional pam_ssh.so > > Definately, but just checking, are these functional lines? I'd hate to > mess something up. They work for me. :-) > BTW; what happens if we list pam_ssh.so and it wasn't compiled as the crypto > source isn't present? Will it skip it or cause failures? The following errors are logged at unable to dlopen(/usr/lib/pam_ssh.so) [dlerror: Cannot open "/usr/lib/pam_ssh.so"] adding faulty module: /usr/lib/pam_ssh.so and then the module is skipped, in this case, falling back to pam_unix.so for the auth layer. I think it might fail completely if pam_ssh were designated as required instead of sufficient (auth) and optional (session). I suppose we could comment the pam_ssh lines (like the ones I submitted back in January, conf/16076) just to be safe. I'd just like people to know that it's there for them to use. -- Andrew J. Korty, Lead Security Engineer Office of the Vice President for Information Technology Indiana University To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message