From owner-freebsd-hackers@FreeBSD.ORG Wed May 18 13:06:42 2005 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C490316A4CE for ; Wed, 18 May 2005 13:06:42 +0000 (GMT) Received: from 62-15-210-213.inversas.jazztel.es (62-15-210-213.inversas.jazztel.es [62.15.210.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D26243D9D for ; Wed, 18 May 2005 13:06:41 +0000 (GMT) (envelope-from josemi@freebsd.jazztel.es) Received: from redesjm.local (orion.redesjm.local [192.168.254.16]) j4ID6Rqg011141; Wed, 18 May 2005 15:06:27 +0200 (CEST) (envelope-from josemi@freebsd.jazztel.es) Received: from localhost (localhost [[UNIX: localhost]]) by redesjm.local (8.13.3/8.13.3/Submit) id j4ID6LAk001221; Wed, 18 May 2005 15:06:21 +0200 (CEST) (envelope-from josemi@freebsd.jazztel.es) X-Authentication-Warning: orion.redesjm.local: josemi set sender to josemi@freebsd.jazztel.es using -f From: Jose M Rodriguez Organization: Redes JM To: freebsd-hackers@freebsd.org Date: Wed, 18 May 2005 15:06:20 +0200 User-Agent: KMail/1.8 References: <200505182228.36877.doconnor@gsoft.com.au> In-Reply-To: <200505182228.36877.doconnor@gsoft.com.au> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-13" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200505181506.21129.josemi@freebsd.jazztel.es> X-AntiVirus: checked by AntiVir Milter (version: 1.1.0-3; AVE: 6.30.0.12; VDF: 6.30.0.183; host: antares.redesjm.local) Subject: Re: pam_ssh problems X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 May 2005 13:06:42 -0000 El Mi=E9rcoles, 18 de Mayo de 2005 14:58, Daniel O'Connor escribi=F3: > I have used pam_ssh before, and I have the following in > /etc/pam.d/system :- # auth > auth sufficient pam_opie.so no_warn > no_fake_prompts auth requisite pam_opieaccess.so =20 > no_warn allow_local #auth sufficient pam_krb5.so =20 > no_warn try_first_pass #auth sufficient =20 > pam_ldap.so no_warn try_first_pass auth =20 > sufficient pam_ssh.so no_warn try_first_pass auth =20 > required pam_unix.so no_warn > try_first_pass nullok > > (ie what the committed version suggests). > > Just recently (last week or so) I have noticed that pam_ssh will let > me login with _any_ password (empty, or just plain wrong)! :( > > If I get the passphrase wrong I login, but the key is not added to > the agent (at least something is right :) It didn't used to do this > however.. > > I just found that I had made a id_rsa file for testing purposes with > no passphrase on it. While that was a little dumb it seems very odd > that pam_ssh would let me in with any password - I think it would > make more sense to reject keys with no passphrase for authenitcation > (with say a nullok option). > > I think I'll work on a patch. > > Basically this is a heads up for anyone else that uses pam_ssh to be > a bit careful :) I use this, but not for login/auth, only for get the agent running with=20 the keys decripted (same passwd used). =2D- josemi =2D-- /etc/pam.d/login --- # # $FreeBSD: src/etc/pam.d/login,v 1.16 2003/06/14 12:35:05 des Exp $ # # PAM configuration for the "login" service # # auth auth required pam_nologin.so no_warn auth sufficient pam_self.so no_warn auth include system auth optional pam_ssh.so use_first_pass # account account requisite pam_securetty.so account include system # session session include system session optional pam_ssh.so want_agent # password password include system