From owner-freebsd-hackers@FreeBSD.ORG Wed May 18 12:58:53 2005 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0657A16A4CE for ; Wed, 18 May 2005 12:58:53 +0000 (GMT) Received: from cain.gsoft.com.au (cain.gsoft.com.au [203.31.81.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4EEAA43D9E for ; Wed, 18 May 2005 12:58:50 +0000 (GMT) (envelope-from doconnor@gsoft.com.au) Received: from inchoate.gsoft.com.au (localhost [127.0.0.1]) (authenticated bits=0) by cain.gsoft.com.au (8.12.11/8.12.10) with ESMTP id j4ICwefO010247; Wed, 18 May 2005 22:28:41 +0930 (CST) (envelope-from doconnor@gsoft.com.au) From: "Daniel O'Connor" To: freebsd-hackers@freebsd.org Date: Wed, 18 May 2005 22:28:29 +0930 User-Agent: KMail/1.8 MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3026544.jCSc6LQu3e"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200505182228.36877.doconnor@gsoft.com.au> X-Spam-Score: -0.4 () PGP_SIGNATURE_2,SPAM_PHRASE_00_01,USER_AGENT X-Scanned-By: MIMEDefang 2.16 (www . roaringpenguin . com / mimedefang) Subject: pam_ssh problems X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 May 2005 12:58:53 -0000 --nextPart3026544.jCSc6LQu3e Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline I have used pam_ssh before, and I have the following in /etc/pam.d/system :- # auth auth sufficient pam_opie.so no_warn no_fake_pro= mpts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_p= ass #auth sufficient pam_ldap.so no_warn try_first_p= ass auth sufficient pam_ssh.so no_warn try_first_p= ass auth required pam_unix.so no_warn try_first_p= ass nullok (ie what the committed version suggests). Just recently (last week or so) I have noticed that pam_ssh will let me=20 login with _any_ password (empty, or just plain wrong)! :( If I get the passphrase wrong I login, but the key is not added to the agent (at least something is right :) It didn't used to do this however.. I just found that I had made a id_rsa file for testing purposes with no=20 passphrase on it. While that was a little dumb it seems very odd that pam_ssh would let me in with any password - I think it would make more sense to reject keys with no passphrase for authenitcation (with say a nullok option). I think I'll work on a patch. Basically this is a heads up for anyone else that uses pam_ssh to be a bit careful :) =2D-=20 Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C --nextPart3026544.jCSc6LQu3e Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCizv85ZPcIHs/zowRAsshAJ4pkN3pLo00AqT3SbQnX0NW9cys1wCgiJQq 7Dwm9EJ0BmKvi7VAsGL+HpU= =cFev -----END PGP SIGNATURE----- --nextPart3026544.jCSc6LQu3e--