From owner-freebsd-security Sat Jul 8 14:49: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from smtp.nwlink.com (smtp.nwlink.com [209.20.130.57]) by hub.freebsd.org (Postfix) with ESMTP id 7EB2537B63C for ; Sat, 8 Jul 2000 14:48:59 -0700 (PDT) (envelope-from cac@fuzzer.com) Received: from craigc (ip133.gte8.rb1.bel.nwlink.com [209.20.237.133]) by smtp.nwlink.com (8.9.3/8.9.3) with SMTP id OAA03187; Sat, 8 Jul 2000 14:48:37 -0700 (PDT) Message-ID: <05ac01bfe927$e349e390$0201010a@craigc> From: "Craig Critchley" To: "Webbie" , "Jim Durham" Cc: References: <39675126.D3CDCEAE@w2xo.pgh.pa.us> <14651280467.20000708145237@everyday.cx> Subject: Re: openssh and PAM Date: Sat, 8 Jul 2000 15:00:10 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I ran into this too. I don't see a problem, but I'm not a security expert, so better safe than sorry... As Jim mentions, without PAM enabled, building openssh gets a link error for the crypt function, so I also want to make sure adding libcrypt to the libraries isn't the wrong fix... The problem with PAM also seemed to be related to a missing crypt function; sshd added syslog complaints about being unable to load pam_unix.so because crypt was undefined; disabling PAM was the first step in trying to debug/fix this. I'm wondering if I'm missing a dependancy somewhere that would add an updated crypt to a library that openssh links to. Thanks, ...Craig ----- Original Message ----- From: "Webbie" To: "Jim Durham" Cc: Sent: Saturday, July 08, 2000 11:52 AM Subject: Re: openssh and PAM > Hello Jim, > > I have the same experience as you do. > > PAM is only a method to specify how you want to verify the password. > > What you/me have done was to tell sshd not to bother with pam auth and > just use the default freebsd password auth method, either MD5 or DES. > > So, I don't see a security problem here. > > > Saturday, July 08, 2000, 12:04:54 PM, you wrote: > > JD> Since this applies to a system in another galaxy far far away, I'll > JD> ask this here! > > JD> I was building openssh-2.1.1p2 with openssl-0.95a on a 3.3-RELEASE > JD> box. (Yes, I know it's upgrade time, but it's a production system > JD> and I'm replacing it soon). > > JD> The sshd daemon would not authenticate using the PAM stuff. I *did* > JD> install the stuff from the contrib directory in the openssh sources > JD> in /etc/pam.conf. > > JD> It was suggested by a posting elsewhere that it would work by configging > JD> it with --without-pam. You then get a link error, which you can fix > JD> with -lcrypt in the Makefile. > > JD> What sort of security compromise have I caused here? > > JD> Thanks... > > > > -- > Webbie > \\|// > (o o) > +-------------------------oOOo-(_)-oOOo-----------------------------+ > EMail : mailto:webbie(at)everyday(dot)cx > PGP Key : http://www.everyday.cx/pgpkey.txt > PGP Fingerprint: 0B9F E081 35CD B9AF 58EA 7E43 38EC C84F 4AB4 792C > +-------------------------------------------------------------------+ > Dodge: Dead Or Dying Garbage Emitter > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message