Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 18 May 2005 22:28:29 +0930
From:      "Daniel O'Connor" <doconnor@gsoft.com.au>
To:        freebsd-hackers@freebsd.org
Subject:   pam_ssh problems
Message-ID:  <200505182228.36877.doconnor@gsoft.com.au>
next in thread | raw e-mail | index | archive | help 
--nextPart3026544.jCSc6LQu3e
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

I have used pam_ssh before, and I have the following in /etc/pam.d/system :-
# auth
auth            sufficient      pam_opie.so             no_warn no_fake_pro=
mpts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_p=
ass
#auth           sufficient      pam_ldap.so             no_warn try_first_p=
ass
auth            sufficient      pam_ssh.so              no_warn try_first_p=
ass
auth            required        pam_unix.so             no_warn try_first_p=
ass nullok

(ie what the committed version suggests).

Just recently (last week or so) I have noticed that pam_ssh will let me=20
login with _any_ password (empty, or just plain wrong)! :(

If I get the passphrase wrong I login, but the key is not added to
the agent (at least something is right :) It didn't used to do this
however..

I just found that I had made a id_rsa file for testing purposes with no=20
passphrase on it. While that was a little dumb it seems very odd that
pam_ssh would let me in with any password - I think it would make
more sense to reject keys with no passphrase for authenitcation (with
say a nullok option).

I think I'll work on a patch.

Basically this is a heads up for anyone else that uses pam_ssh to be
a bit careful :)

=2D-=20
Daniel O'Connor software and network engineer
for Genesis Software - http://www.gsoft.com.au
"The nice thing about standards is that there
are so many of them to choose from."
  -- Andrew Tanenbaum
GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C

--nextPart3026544.jCSc6LQu3e
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)

iD8DBQBCizv85ZPcIHs/zowRAsshAJ4pkN3pLo00AqT3SbQnX0NW9cys1wCgiJQq
7Dwm9EJ0BmKvi7VAsGL+HpU=
=cFev
-----END PGP SIGNATURE-----

--nextPart3026544.jCSc6LQu3e--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200505182228.36877.doconnor>