From owner-freebsd-security@FreeBSD.ORG  Fri Jun 18 20:27:02 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0DF4916A4CE
	for <freebsd-security@freebsd.org>;
	Fri, 18 Jun 2004 20:27:02 +0000 (GMT)
Received: from util.inch.com (shellutil.inch.com [216.223.208.53])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7964343D1F
	for <freebsd-security@freebsd.org>;
	Fri, 18 Jun 2004 20:27:01 +0000 (GMT)	(envelope-from spork@inch.com)
Received: from shell.inch.com (www.inch.com [216.223.192.20])
	i5IKQnjH031618	for <freebsd-security@freebsd.org>;
	Fri, 18 Jun 2004 16:26:49 -0400 (EDT)	(envelope-from spork@inch.com)
Received: from shell.inch.com (localhost [127.0.0.1])
	by shell.inch.com (8.12.8p2/8.12.8) with ESMTP id i5IKQJm1094465
	for <freebsd-security@freebsd.org>;
	Fri, 18 Jun 2004 16:26:30 -0400 (EDT)	(envelope-from spork@inch.com)
Received: from localhost (spork@localhost)i5IKQJY4094462
	for <freebsd-security@freebsd.org>;
	Fri, 18 Jun 2004 16:26:19 -0400 (EDT)
X-Authentication-Warning: shell.inch.com: spork owned process doing -bs
Date: Fri, 18 Jun 2004 16:26:19 -0400 (EDT)
From: Charles Sprickman <spork@inch.com>
To: freebsd-security@freebsd.org
Message-ID: <20040618161910.C70190@shell.inch.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: 4.x, PAM, password facility
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Jun 2004 20:27:02 -0000

Hi,

I've been playing around with pam_mysql, and have it working for
interactive logins (backed by /etc/passwd entries for uid/gid w/*'d
password field) and it works well so far.

Looking at the source to the module, it does support password changing.
So I put in the following entry in pam.conf:

sshd    password required       pam_mysql.so user=root db=pam table=users crypt=1

However, it doesn't seem to hit the module at all for password changes.  I
also noticed the default line is like so:

sshd   password required       pam_permit.so

I would have expected a "pam_unix.so" there instead.  Is the password
facility implemented in 4.x?

And since I know there's someone lurking here that knows this, is there
any way to have OpenSSH deny a login when a user has key-based auth setup
on their account?  I never found a good way to take care of that; changing
the shell, etc. is a bit awkward.

Thanks,

Charles

--
Charles Sprickman
spork@inch.com