Date: Sat, 8 Jul 2000 15:00:10 -0700 From: "Craig Critchley" <cac@fuzzer.com> To: "Webbie" <webbie@everyday.cx>, "Jim Durham" <durham@w2xo.pgh.pa.us> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: openssh and PAM Message-ID: <05ac01bfe927$e349e390$0201010a@craigc> References: <39675126.D3CDCEAE@w2xo.pgh.pa.us> <14651280467.20000708145237@everyday.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
I ran into this too. I don't see a problem, but I'm not a security expert,
so better safe than sorry...
As Jim mentions, without PAM enabled, building openssh gets a link error for
the crypt function, so I also want to make sure adding libcrypt to the
libraries isn't the wrong fix...
The problem with PAM also seemed to be related to a missing crypt function;
sshd added syslog complaints about being unable to load pam_unix.so because
crypt was undefined; disabling PAM was the first step in trying to debug/fix
this.
I'm wondering if I'm missing a dependancy somewhere that would add an
updated crypt to a library that openssh links to.
Thanks,
...Craig
----- Original Message -----
From: "Webbie" <webbie@everyday.cx>
To: "Jim Durham" <durham@w2xo.pgh.pa.us>
Cc: <freebsd-security@FreeBSD.ORG>
Sent: Saturday, July 08, 2000 11:52 AM
Subject: Re: openssh and PAM
> Hello Jim,
>
> I have the same experience as you do.
>
> PAM is only a method to specify how you want to verify the password.
>
> What you/me have done was to tell sshd not to bother with pam auth and
> just use the default freebsd password auth method, either MD5 or DES.
>
> So, I don't see a security problem here.
>
>
> Saturday, July 08, 2000, 12:04:54 PM, you wrote:
>
> JD> Since this applies to a system in another galaxy far far away, I'll
> JD> ask this here!
>
> JD> I was building openssh-2.1.1p2 with openssl-0.95a on a 3.3-RELEASE
> JD> box. (Yes, I know it's upgrade time, but it's a production system
> JD> and I'm replacing it soon).
>
> JD> The sshd daemon would not authenticate using the PAM stuff. I *did*
> JD> install the stuff from the contrib directory in the openssh sources
> JD> in /etc/pam.conf.
>
> JD> It was suggested by a posting elsewhere that it would work by
configging
> JD> it with --without-pam. You then get a link error, which you can fix
> JD> with -lcrypt in the Makefile.
>
> JD> What sort of security compromise have I caused here?
>
> JD> Thanks...
>
>
>
> --
> Webbie
> \\|//
> (o o)
> +-------------------------oOOo-(_)-oOOo-----------------------------+
> EMail : mailto:webbie(at)everyday(dot)cx
> PGP Key : http://www.everyday.cx/pgpkey.txt
> PGP Fingerprint: 0B9F E081 35CD B9AF 58EA 7E43 38EC C84F 4AB4 792C
> +-------------------------------------------------------------------+
> Dodge: Dead Or Dying Garbage Emitter
>
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?05ac01bfe927$e349e390$0201010a>