Date: Fri, 27 Sep 2002 17:54:34 -0400 From: Chris Johnson <dcj-dated-1033163462.npbbkdfc@palomine.net> To: Archie Cobbs <archie@dellroad.org> Cc: freebsd-stable@freebsd.org Message-ID: <20020927215434.GA94394@palomine.net> In-Reply-To: <200209272135.g8RLZ3We005877@arch20m.dellroad.org> References: <200209272135.g8RLZ3We005877@arch20m.dellroad.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--VbJkn9YxBvnuCH5J
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, Sep 27, 2002 at 02:35:03PM -0700, Archie Cobbs wrote:
> Yow! I was surprised to notice that setting these parameters:
>Release-Note:
>Audit-Trail:
>Unformatted:
>=20
> PasswordAuthentication no
> PermitRootLogin without-password
>=20
> in /etc/ssh/sshd_config have absolutely NO effect!
>=20
> This is because now /etc/pam.conf seems to control everything (?)
According to sshd_config(5):
PAMAuthenticationViaKbdInt
Specifies whether PAM challenge response authentication is
allowed. This allows the use of most PAM challenge response
authentication modules, but it will allow password authenticat=
ion
regardless of whether PasswordAuthentication is enabled.
It seems, however, that it's the ChallengeResponseAuthentication setting th=
at
controls whether PAM authentication is enabled, and apparently its being se=
t to
"yes" causes the behavior you're seeing.
Chris Johnson
--VbJkn9YxBvnuCH5J
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)
iD8DBQE9lNOYPC78Lz4X/PARAjlXAJ4lPuAya1X/3Z0JoU8BQI2vAyqnfgCdGbhW
gfsbwzebSsl1VY+UkqJQXDs=
=6Ijn
-----END PGP SIGNATURE-----
--VbJkn9YxBvnuCH5J--
From nectar@nectar.cc Sun Sep 29 08:10:01 2002
Return-path: <nectar@nectar.cc>
Date: Sun, 29 Sep 2002 10:11:14 -0500
From: "Jacques A. Vidrine" <nectar@FreeBSD.org>
To: Archie Cobbs <archie@dellroad.org>
cc: freebsd-stable@FreeBSD.org
Subject: Re: sshd_config vs. PAM
Message-ID: <20020929151114.GD2853@hellblazer.nectar.cc>
Mail-Followup-To: "Jacques A. Vidrine" <nectar@FreeBSD.org>,
Archie Cobbs <archie@dellroad.org>, freebsd-stable@freebsd.org
References: <200209272135.g8RLZ3We005877@arch20m.dellroad.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200209272135.g8RLZ3We005877@arch20m.dellroad.org>
User-Agent: Mutt/1.3.27i
X-Url: http://www.celabo.org/
Status: OR
On Fri, Sep 27, 2002 at 02:35:03PM -0700, Archie Cobbs wrote:
> Yow! I was surprised to notice that setting these parameters:
>
> PasswordAuthentication no
> PermitRootLogin without-password
>
> in /etc/ssh/sshd_config have absolutely NO effect!
>
> This is because now /etc/pam.conf seems to control everything (?)
>
> This seems to violate POLA in a very dangerous way. Nor is this
> documented anywhere in the ssh man pages... in fact, they lie and
> tell you that these options increase security.
>
> I recommend that we either detach sshd from PAM, or else stop
> documenting and pretending that /etc/ssh/sshd_config actually
> controls this stuff.
As far as I know, stock OpenSSH-portable behaves the same with regard
to PAM, except for some reason we use a different knob to affect it
(ChallengeResponseAuthentication versus PAMAuthenticationViaKbdInt)
and in portable in defaults to `no' while with ours it defaults to
`yes'.
The man page should be fixed.
Cheers,
--
Jacques A. Vidrine <nectar@celabo.org> http://www.celabo.org/
NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos
jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se
From jamie@jamiesdomain.org.uk Mon Sep 30 04:20:01 2002
Return-path: <jamie@jamiesdomain.org.uk>
Message-ID: <002e01c26873$3d717a50$3264a8c0@BONG>
Reply-To: "Jamie Heckford" <jamie@jamiesdomain.org.uk>
From: "Jamie Heckford" <jamie@jamiesdomain.org.uk>
To: "Archie Cobbs" <archie@dellroad.org>, <freebsd-stable@FreeBSD.ORG>
References: <200209272135.g8RLZ3We005877@arch20m.dellroad.org>
Subject: Re: sshd_config vs. PAM
Date: Mon, 30 Sep 2002 12:19:21 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Newnet-MailScanner: Found to be clean
Status: OR
I would very much like to see ssh completely detached from PAM, and have the PAM ties as an option you have to enable as opposed to
it being the default.
----- Original Message -----
From: "Archie Cobbs" <archie@dellroad.org>
To: <freebsd-stable@FreeBSD.ORG>
Sent: Friday, September 27, 2002 10:35 PM
Subject: sshd_config vs. PAM
> Yow! I was surprised to notice that setting these parameters:
>
> PasswordAuthentication no
> PermitRootLogin without-password
>
> in /etc/ssh/sshd_config have absolutely NO effect!
>
> This is because now /etc/pam.conf seems to control everything (?)
>
> This seems to violate POLA in a very dangerous way. Nor is this
> documented anywhere in the ssh man pages... in fact, they lie and
> tell you that these options increase security.
>
> I recommend that we either detach sshd from PAM, or else stop
> documenting and pretending that /etc/ssh/sshd_config actually
> controls this stuff.
>
> -Archie
>
> __________________________________________________________________________
> Archie Cobbs * Packet Design * http://www.packetdesign.com
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-stable" in the body of the message
>
--
____________________________________________________
Message scanned for viruses and dangerous content by
<http://www.newnet.co.uk/av/>; and believed to be clean
From nectar@nectar.cc Sun Sep 29 08:05:01 2002
Return-path: <nectar@nectar.cc>
Date: Sun, 29 Sep 2002 10:04:02 -0500
From: "Jacques A. Vidrine" <nectar@FreeBSD.org>
To: archie@FreeBSD.org
cc: des@FreeBSD.org, re@FreeBSD.org, security-officer@FreeBSD.org
Subject: Re: sshd_config vs. PAM (fwd)
Message-ID: <20020929150402.GB2853@hellblazer.nectar.cc>
References: <200209290239.g8T2dFQj025381@arch20m.dellroad.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200209290239.g8T2dFQj025381@arch20m.dellroad.org>
User-Agent: Mutt/1.3.27i
X-Url: http://www.celabo.org/
Status: OR
On Sat, Sep 28, 2002 at 07:39:15PM -0700, Archie Cobbs wrote:
> Could someone from security-officer@freebsd.org and/or re@freebsd.org
> give a little perspective on this?
More documentation couldn't hurt, particularly since the man page seems
to be a little out of whack with reality. The actual default sshd_config
is pretty clear on this point:
# Change to no to disable PAM authentication
#ChallengeResponseAuthentication yes
= With generic OpenSSH-portable, PAM will be used if
PAMAuthenticationViaKbdInt is set, _regardless of the setting of
PasswordAuthentication_
= With our OpenSSH, PAM will be used if
ChallengeResponseAuthentication is set, _regardless of the setting
of PasswordAuthentication_
In either case, the `sshd' pam configuration (e.g. in /etc/pam.conf or
/etc/pam.d) then controls how the authentication is done.
I don't know why we use a different knob for this.
Cheers,
--
Jacques A. Vidrine <nectar@celabo.org> http://www.celabo.org/
NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos
jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se
From robert@fledge.watson.org Sun Sep 29 19:10:01 2002
Return-path: <robert@fledge.watson.org>
Date: Sun, 29 Sep 2002 22:06:36 -0400 (EDT)
From: Robert Watson <rwatson@FreeBSD.org>
X-Sender: robert@fledge.watson.org
To: "Jacques A. Vidrine" <nectar@FreeBSD.org>
cc: archie@FreeBSD.org, des@FreeBSD.org, re@FreeBSD.org,
security-officer@FreeBSD.org
Subject: Re: sshd_config vs. PAM (fwd)
In-Reply-To: <20020929150402.GB2853@hellblazer.nectar.cc>
Message-ID: <Pine.NEB.3.96L.1020929220528.22918P-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: OR
On Sun, 29 Sep 2002, Jacques A. Vidrine wrote:
> On Sat, Sep 28, 2002 at 07:39:15PM -0700, Archie Cobbs wrote:
> > Could someone from security-officer@freebsd.org and/or re@freebsd.org
> > give a little perspective on this?
>
> More documentation couldn't hurt, particularly since the man page seems
> to be a little out of whack with reality. The actual default
> sshd_config is pretty clear on this point:
Yeah, the mis-understanding is that "PasswordAuthentication" doesn't
enable/disable login using passwords, it disables negotiation of the
PasswordAuthentication authentication type at the protocol layer. The
behavior is correct, it just specifies protocol behavior in a manner we
should document more carefully.
>
> # Change to no to disable PAM authentication
> #ChallengeResponseAuthentication yes
>
>
> = With generic OpenSSH-portable, PAM will be used if
> PAMAuthenticationViaKbdInt is set, _regardless of the setting of
> PasswordAuthentication_
>
> = With our OpenSSH, PAM will be used if
> ChallengeResponseAuthentication is set, _regardless of the setting
> of PasswordAuthentication_
>
> In either case, the `sshd' pam configuration (e.g. in /etc/pam.conf or
> /etc/pam.d) then controls how the authentication is done.
>
> I don't know why we use a different knob for this.
>
> Cheers,
> --
> Jacques A. Vidrine <nectar@celabo.org> http://www.celabo.org/
> NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos
> jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se
>
From nectar@nectar.cc Mon Sep 30 06:05:01 2002
Return-path: <nectar@nectar.cc>
Date: Mon, 30 Sep 2002 08:03:15 -0500
From: "Jacques A. Vidrine" <nectar@FreeBSD.org>
To: Robert Watson <rwatson@FreeBSD.org>
cc: archie@FreeBSD.org, des@FreeBSD.org, re@FreeBSD.org,
security-officer@FreeBSD.org
Subject: Re: sshd_config vs. PAM (fwd)
Message-ID: <20020930130315.GE14672@hellblazer.nectar.cc>
References: <20020929150402.GB2853@hellblazer.nectar.cc> <Pine.NEB.3.96L.1020929220528.22918P-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.NEB.3.96L.1020929220528.22918P-100000@fledge.watson.org>
User-Agent: Mutt/1.3.27i
X-Url: http://www.celabo.org/
Status: OR
On Sun, Sep 29, 2002 at 10:06:36PM -0400, Robert Watson wrote:
> Yeah, the mis-understanding is that "PasswordAuthentication" doesn't
> enable/disable login using passwords, it disables negotiation of the
> PasswordAuthentication authentication type at the protocol layer. The
> behavior is correct, it just specifies protocol behavior in a manner we
> should document more carefully.
I'm not sure what the appropriate language would be for the man page.
I seem to recall that we used to have seperate PAM configuration
entries for these two modes (`sshd' for password authentication, and
`csshd' for challenge/response authentication), but that no longer
appears to be the case.
I wish DES was around: I hate to second guess what he intended.
The simplest change to the man page is as follows.
ChallengeResponseAuthentication
Specifies whether challenge response authentication is allowed.
This allows the use of most PAM authentication modules, but it
will also allow password authentication regardless of whether
PasswordAuthentication is enabled. The default is ``yes''.
Index: sshd_config.5
===================================================================
RCS file: /home/ncvs/src/crypto/openssh/sshd_config.5,v
retrieving revision 1.6
diff -c -r1.6 sshd_config.5
*** sshd_config.5 26 Jul 2002 15:16:56 -0000 1.6
--- sshd_config.5 30 Sep 2002 13:01:05 -0000
***************
*** 127,135 ****
.Pp
.It Cm ChallengeResponseAuthentication
Specifies whether challenge response authentication is allowed.
! All authentication styles from
! .Xr login.conf 5
! are supported.
The default is
.Dq yes .
.It Cm Ciphers
--- 127,136 ----
.Pp
.It Cm ChallengeResponseAuthentication
Specifies whether challenge response authentication is allowed.
! This allows the use of most PAM authentication modules, but it
! will also allow password authentication regardless of whether
! .Cm PasswordAuthentication
! is enabled.
The default is
.Dq yes .
.It Cm Ciphers
***************
*** 420,431 ****
are refused if the number of unauthenticated connections reaches
.Dq full
(60).
- .It Cm PAMAuthenticationViaKbdInt
- Specifies whether PAM challenge response authentication is allowed. This
- allows the use of most PAM challenge response authentication modules, but
- it will allow password authentication regardless of whether
- .Cm PasswordAuthentication
- is enabled.
.It Cm PasswordAuthentication
Specifies whether password authentication is allowed.
The default is
--- 421,426 ----
--
Jacques A. Vidrine <nectar@celabo.org> http://www.celabo.org/
NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos
jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se
From des@ofug.org Sun Oct 6 10:55:01 2002
Return-path: <des@ofug.org>
Sender: des@flood.ping.uio.no
X-Url: http://www.ofug.org/~des/
X-Disclaimer: The views expressed in this message do not necessarily
coincide with those of any organisation or company with
which I am or have been affiliated.
To: "Jacques A. Vidrine" <nectar@FreeBSD.org>
cc: Robert Watson <rwatson@FreeBSD.org>, archie@FreeBSD.org, re@FreeBSD.org,
security-officer@FreeBSD.org
Subject: Re: sshd_config vs. PAM (fwd)
References: <20020929150402.GB2853@hellblazer.nectar.cc>
<Pine.NEB.3.96L.1020929220528.22918P-100000@fledge.watson.org>
<20020930130315.GE14672@hellblazer.nectar.cc>
From: Dag-Erling Smorgrav <des@ofug.org>
Date: 06 Oct 2002 19:52:17 +0200
In-Reply-To: <20020930130315.GE14672@hellblazer.nectar.cc>
Message-ID: <xzp7kgv1mlq.fsf@flood.ping.uio.no>
Lines: 19
User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Status: OR
"Jacques A. Vidrine" <nectar@FreeBSD.org> writes:
> I wish DES was around: I hate to second guess what he intended.
Sorry for going AWOL. It's been a tough ride.
> The simplest change to the man page is as follows.
>
> ChallengeResponseAuthentication
> Specifies whether challenge response authentication is allowed.
> This allows the use of most PAM authentication modules, but it
> will also allow password authentication regardless of whether
> PasswordAuthentication is enabled. The default is ``yes''.
It will allow password authentication only through PAM - not through
OpenSSH's own password authentication mechanism.
DES
--
Dag-Erling Smorgrav - des@ofug.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020927215434.GA94394>