Date: Wed, 18 May 2005 15:06:20 +0200 From: Jose M Rodriguez <josemi@freebsd.jazztel.es> To: freebsd-hackers@freebsd.org Subject: Re: pam_ssh problems Message-ID: <200505181506.21129.josemi@freebsd.jazztel.es> In-Reply-To: <200505182228.36877.doconnor@gsoft.com.au> References: <200505182228.36877.doconnor@gsoft.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
El Mi=E9rcoles, 18 de Mayo de 2005 14:58, Daniel O'Connor escribi=F3: > I have used pam_ssh before, and I have the following in > /etc/pam.d/system :- # auth > auth sufficient pam_opie.so no_warn > no_fake_prompts auth requisite pam_opieaccess.so =20 > no_warn allow_local #auth sufficient pam_krb5.so =20 > no_warn try_first_pass #auth sufficient =20 > pam_ldap.so no_warn try_first_pass auth =20 > sufficient pam_ssh.so no_warn try_first_pass auth =20 > required pam_unix.so no_warn > try_first_pass nullok > > (ie what the committed version suggests). > > Just recently (last week or so) I have noticed that pam_ssh will let > me login with _any_ password (empty, or just plain wrong)! :( > > If I get the passphrase wrong I login, but the key is not added to > the agent (at least something is right :) It didn't used to do this > however.. > > I just found that I had made a id_rsa file for testing purposes with > no passphrase on it. While that was a little dumb it seems very odd > that pam_ssh would let me in with any password - I think it would > make more sense to reject keys with no passphrase for authenitcation > (with say a nullok option). > > I think I'll work on a patch. > > Basically this is a heads up for anyone else that uses pam_ssh to be > a bit careful :) I use this, but not for login/auth, only for get the agent running with=20 the keys decripted (same passwd used). =2D- josemi =2D-- /etc/pam.d/login --- # # $FreeBSD: src/etc/pam.d/login,v 1.16 2003/06/14 12:35:05 des Exp $ # # PAM configuration for the "login" service # # auth auth required pam_nologin.so no_warn auth sufficient pam_self.so no_warn auth include system auth optional pam_ssh.so use_first_pass # account account requisite pam_securetty.so account include system # session session include system session optional pam_ssh.so want_agent # password password include system
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200505181506.21129.josemi>