Date: Wed, 18 May 2005 22:28:29 +0930 From: "Daniel O'Connor" <doconnor@gsoft.com.au> To: freebsd-hackers@freebsd.org Subject: pam_ssh problems Message-ID: <200505182228.36877.doconnor@gsoft.com.au>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] I have used pam_ssh before, and I have the following in /etc/pam.d/system :- # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ldap.so no_warn try_first_pass auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass nullok (ie what the committed version suggests). Just recently (last week or so) I have noticed that pam_ssh will let me login with _any_ password (empty, or just plain wrong)! :( If I get the passphrase wrong I login, but the key is not added to the agent (at least something is right :) It didn't used to do this however.. I just found that I had made a id_rsa file for testing purposes with no passphrase on it. While that was a little dumb it seems very odd that pam_ssh would let me in with any password - I think it would make more sense to reject keys with no passphrase for authenitcation (with say a nullok option). I think I'll work on a patch. Basically this is a heads up for anyone else that uses pam_ssh to be a bit careful :) -- Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCizv85ZPcIHs/zowRAsshAJ4pkN3pLo00AqT3SbQnX0NW9cys1wCgiJQq 7Dwm9EJ0BmKvi7VAsGL+HpU= =cFev -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200505182228.36877.doconnor>