From cjohnson@palomine.net Fri Sep 27 14:55:01 2002 Return-path: Mail-Followup-To: freebsd-stable@freebsd.org, archie@dellroad.org Date: Fri, 27 Sep 2002 17:54:34 -0400 From: Chris Johnson To: Archie Cobbs cc: freebsd-stable@freebsd.org Message-ID: <20020927215434.GA94394@palomine.net> References: <200209272135.g8RLZ3We005877@arch20m.dellroad.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="VbJkn9YxBvnuCH5J" Content-Disposition: inline In-Reply-To: <200209272135.g8RLZ3We005877@arch20m.dellroad.org> User-Agent: Mutt/1.4i Status: OR --VbJkn9YxBvnuCH5J Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Sep 27, 2002 at 02:35:03PM -0700, Archie Cobbs wrote: > Yow! I was surprised to notice that setting these parameters: >Release-Note: >Audit-Trail: >Unformatted: >=20 > PasswordAuthentication no > PermitRootLogin without-password >=20 > in /etc/ssh/sshd_config have absolutely NO effect! >=20 > This is because now /etc/pam.conf seems to control everything (?) According to sshd_config(5): PAMAuthenticationViaKbdInt Specifies whether PAM challenge response authentication is allowed. This allows the use of most PAM challenge response authentication modules, but it will allow password authenticat= ion regardless of whether PasswordAuthentication is enabled. It seems, however, that it's the ChallengeResponseAuthentication setting th= at controls whether PAM authentication is enabled, and apparently its being se= t to "yes" causes the behavior you're seeing. Chris Johnson --VbJkn9YxBvnuCH5J Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9lNOYPC78Lz4X/PARAjlXAJ4lPuAya1X/3Z0JoU8BQI2vAyqnfgCdGbhW gfsbwzebSsl1VY+UkqJQXDs= =6Ijn -----END PGP SIGNATURE----- --VbJkn9YxBvnuCH5J-- From nectar@nectar.cc Sun Sep 29 08:10:01 2002 Return-path: Date: Sun, 29 Sep 2002 10:11:14 -0500 From: "Jacques A. Vidrine" To: Archie Cobbs cc: freebsd-stable@FreeBSD.org Subject: Re: sshd_config vs. PAM Message-ID: <20020929151114.GD2853@hellblazer.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Archie Cobbs , freebsd-stable@freebsd.org References: <200209272135.g8RLZ3We005877@arch20m.dellroad.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200209272135.g8RLZ3We005877@arch20m.dellroad.org> User-Agent: Mutt/1.3.27i X-Url: http://www.celabo.org/ Status: OR On Fri, Sep 27, 2002 at 02:35:03PM -0700, Archie Cobbs wrote: > Yow! I was surprised to notice that setting these parameters: > > PasswordAuthentication no > PermitRootLogin without-password > > in /etc/ssh/sshd_config have absolutely NO effect! > > This is because now /etc/pam.conf seems to control everything (?) > > This seems to violate POLA in a very dangerous way. Nor is this > documented anywhere in the ssh man pages... in fact, they lie and > tell you that these options increase security. > > I recommend that we either detach sshd from PAM, or else stop > documenting and pretending that /etc/ssh/sshd_config actually > controls this stuff. As far as I know, stock OpenSSH-portable behaves the same with regard to PAM, except for some reason we use a different knob to affect it (ChallengeResponseAuthentication versus PAMAuthenticationViaKbdInt) and in portable in defaults to `no' while with ours it defaults to `yes'. The man page should be fixed. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se From jamie@jamiesdomain.org.uk Mon Sep 30 04:20:01 2002 Return-path: Message-ID: <002e01c26873$3d717a50$3264a8c0@BONG> Reply-To: "Jamie Heckford" From: "Jamie Heckford" To: "Archie Cobbs" , References: <200209272135.g8RLZ3We005877@arch20m.dellroad.org> Subject: Re: sshd_config vs. PAM Date: Mon, 30 Sep 2002 12:19:21 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Newnet-MailScanner: Found to be clean Status: OR I would very much like to see ssh completely detached from PAM, and have the PAM ties as an option you have to enable as opposed to it being the default. ----- Original Message ----- From: "Archie Cobbs" To: Sent: Friday, September 27, 2002 10:35 PM Subject: sshd_config vs. PAM > Yow! I was surprised to notice that setting these parameters: > > PasswordAuthentication no > PermitRootLogin without-password > > in /etc/ssh/sshd_config have absolutely NO effect! > > This is because now /etc/pam.conf seems to control everything (?) > > This seems to violate POLA in a very dangerous way. Nor is this > documented anywhere in the ssh man pages... in fact, they lie and > tell you that these options increase security. > > I recommend that we either detach sshd from PAM, or else stop > documenting and pretending that /etc/ssh/sshd_config actually > controls this stuff. > > -Archie > > __________________________________________________________________________ > Archie Cobbs * Packet Design * http://www.packetdesign.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > -- ____________________________________________________ Message scanned for viruses and dangerous content by and believed to be clean From nectar@nectar.cc Sun Sep 29 08:05:01 2002 Return-path: Date: Sun, 29 Sep 2002 10:04:02 -0500 From: "Jacques A. Vidrine" To: archie@FreeBSD.org cc: des@FreeBSD.org, re@FreeBSD.org, security-officer@FreeBSD.org Subject: Re: sshd_config vs. PAM (fwd) Message-ID: <20020929150402.GB2853@hellblazer.nectar.cc> References: <200209290239.g8T2dFQj025381@arch20m.dellroad.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200209290239.g8T2dFQj025381@arch20m.dellroad.org> User-Agent: Mutt/1.3.27i X-Url: http://www.celabo.org/ Status: OR On Sat, Sep 28, 2002 at 07:39:15PM -0700, Archie Cobbs wrote: > Could someone from security-officer@freebsd.org and/or re@freebsd.org > give a little perspective on this? More documentation couldn't hurt, particularly since the man page seems to be a little out of whack with reality. The actual default sshd_config is pretty clear on this point: # Change to no to disable PAM authentication #ChallengeResponseAuthentication yes = With generic OpenSSH-portable, PAM will be used if PAMAuthenticationViaKbdInt is set, _regardless of the setting of PasswordAuthentication_ = With our OpenSSH, PAM will be used if ChallengeResponseAuthentication is set, _regardless of the setting of PasswordAuthentication_ In either case, the `sshd' pam configuration (e.g. in /etc/pam.conf or /etc/pam.d) then controls how the authentication is done. I don't know why we use a different knob for this. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se From robert@fledge.watson.org Sun Sep 29 19:10:01 2002 Return-path: Date: Sun, 29 Sep 2002 22:06:36 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: "Jacques A. Vidrine" cc: archie@FreeBSD.org, des@FreeBSD.org, re@FreeBSD.org, security-officer@FreeBSD.org Subject: Re: sshd_config vs. PAM (fwd) In-Reply-To: <20020929150402.GB2853@hellblazer.nectar.cc> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Status: OR On Sun, 29 Sep 2002, Jacques A. Vidrine wrote: > On Sat, Sep 28, 2002 at 07:39:15PM -0700, Archie Cobbs wrote: > > Could someone from security-officer@freebsd.org and/or re@freebsd.org > > give a little perspective on this? > > More documentation couldn't hurt, particularly since the man page seems > to be a little out of whack with reality. The actual default > sshd_config is pretty clear on this point: Yeah, the mis-understanding is that "PasswordAuthentication" doesn't enable/disable login using passwords, it disables negotiation of the PasswordAuthentication authentication type at the protocol layer. The behavior is correct, it just specifies protocol behavior in a manner we should document more carefully. > > # Change to no to disable PAM authentication > #ChallengeResponseAuthentication yes > > > = With generic OpenSSH-portable, PAM will be used if > PAMAuthenticationViaKbdInt is set, _regardless of the setting of > PasswordAuthentication_ > > = With our OpenSSH, PAM will be used if > ChallengeResponseAuthentication is set, _regardless of the setting > of PasswordAuthentication_ > > In either case, the `sshd' pam configuration (e.g. in /etc/pam.conf or > /etc/pam.d) then controls how the authentication is done. > > I don't know why we use a different knob for this. > > Cheers, > -- > Jacques A. Vidrine http://www.celabo.org/ > NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos > jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se > From nectar@nectar.cc Mon Sep 30 06:05:01 2002 Return-path: Date: Mon, 30 Sep 2002 08:03:15 -0500 From: "Jacques A. Vidrine" To: Robert Watson cc: archie@FreeBSD.org, des@FreeBSD.org, re@FreeBSD.org, security-officer@FreeBSD.org Subject: Re: sshd_config vs. PAM (fwd) Message-ID: <20020930130315.GE14672@hellblazer.nectar.cc> References: <20020929150402.GB2853@hellblazer.nectar.cc> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.27i X-Url: http://www.celabo.org/ Status: OR On Sun, Sep 29, 2002 at 10:06:36PM -0400, Robert Watson wrote: > Yeah, the mis-understanding is that "PasswordAuthentication" doesn't > enable/disable login using passwords, it disables negotiation of the > PasswordAuthentication authentication type at the protocol layer. The > behavior is correct, it just specifies protocol behavior in a manner we > should document more carefully. I'm not sure what the appropriate language would be for the man page. I seem to recall that we used to have seperate PAM configuration entries for these two modes (`sshd' for password authentication, and `csshd' for challenge/response authentication), but that no longer appears to be the case. I wish DES was around: I hate to second guess what he intended. The simplest change to the man page is as follows. ChallengeResponseAuthentication Specifies whether challenge response authentication is allowed. This allows the use of most PAM authentication modules, but it will also allow password authentication regardless of whether PasswordAuthentication is enabled. The default is ``yes''. Index: sshd_config.5 =================================================================== RCS file: /home/ncvs/src/crypto/openssh/sshd_config.5,v retrieving revision 1.6 diff -c -r1.6 sshd_config.5 *** sshd_config.5 26 Jul 2002 15:16:56 -0000 1.6 --- sshd_config.5 30 Sep 2002 13:01:05 -0000 *************** *** 127,135 **** .Pp .It Cm ChallengeResponseAuthentication Specifies whether challenge response authentication is allowed. ! All authentication styles from ! .Xr login.conf 5 ! are supported. The default is .Dq yes . .It Cm Ciphers --- 127,136 ---- .Pp .It Cm ChallengeResponseAuthentication Specifies whether challenge response authentication is allowed. ! This allows the use of most PAM authentication modules, but it ! will also allow password authentication regardless of whether ! .Cm PasswordAuthentication ! is enabled. The default is .Dq yes . .It Cm Ciphers *************** *** 420,431 **** are refused if the number of unauthenticated connections reaches .Dq full (60). - .It Cm PAMAuthenticationViaKbdInt - Specifies whether PAM challenge response authentication is allowed. This - allows the use of most PAM challenge response authentication modules, but - it will allow password authentication regardless of whether - .Cm PasswordAuthentication - is enabled. .It Cm PasswordAuthentication Specifies whether password authentication is allowed. The default is --- 421,426 ---- -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se From des@ofug.org Sun Oct 6 10:55:01 2002 Return-path: Sender: des@flood.ping.uio.no X-Url: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Jacques A. Vidrine" cc: Robert Watson , archie@FreeBSD.org, re@FreeBSD.org, security-officer@FreeBSD.org Subject: Re: sshd_config vs. PAM (fwd) References: <20020929150402.GB2853@hellblazer.nectar.cc> <20020930130315.GE14672@hellblazer.nectar.cc> From: Dag-Erling Smorgrav Date: 06 Oct 2002 19:52:17 +0200 In-Reply-To: <20020930130315.GE14672@hellblazer.nectar.cc> Message-ID: Lines: 19 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Status: OR "Jacques A. Vidrine" writes: > I wish DES was around: I hate to second guess what he intended. Sorry for going AWOL. It's been a tough ride. > The simplest change to the man page is as follows. > > ChallengeResponseAuthentication > Specifies whether challenge response authentication is allowed. > This allows the use of most PAM authentication modules, but it > will also allow password authentication regardless of whether > PasswordAuthentication is enabled. The default is ``yes''. It will allow password authentication only through PAM - not through OpenSSH's own password authentication mechanism. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message