From owner-freebsd-security@FreeBSD.ORG Fri Jun 18 20:27:02 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0DF4916A4CE for ; Fri, 18 Jun 2004 20:27:02 +0000 (GMT) Received: from util.inch.com (shellutil.inch.com [216.223.208.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7964343D1F for ; Fri, 18 Jun 2004 20:27:01 +0000 (GMT) (envelope-from spork@inch.com) Received: from shell.inch.com (www.inch.com [216.223.192.20]) i5IKQnjH031618 for ; Fri, 18 Jun 2004 16:26:49 -0400 (EDT) (envelope-from spork@inch.com) Received: from shell.inch.com (localhost [127.0.0.1]) by shell.inch.com (8.12.8p2/8.12.8) with ESMTP id i5IKQJm1094465 for ; Fri, 18 Jun 2004 16:26:30 -0400 (EDT) (envelope-from spork@inch.com) Received: from localhost (spork@localhost)i5IKQJY4094462 for ; Fri, 18 Jun 2004 16:26:19 -0400 (EDT) X-Authentication-Warning: shell.inch.com: spork owned process doing -bs Date: Fri, 18 Jun 2004 16:26:19 -0400 (EDT) From: Charles Sprickman To: freebsd-security@freebsd.org Message-ID: <20040618161910.C70190@shell.inch.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: 4.x, PAM, password facility X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jun 2004 20:27:02 -0000 Hi, I've been playing around with pam_mysql, and have it working for interactive logins (backed by /etc/passwd entries for uid/gid w/*'d password field) and it works well so far. Looking at the source to the module, it does support password changing. So I put in the following entry in pam.conf: sshd password required pam_mysql.so user=root db=pam table=users crypt=1 However, it doesn't seem to hit the module at all for password changes. I also noticed the default line is like so: sshd password required pam_permit.so I would have expected a "pam_unix.so" there instead. Is the password facility implemented in 4.x? And since I know there's someone lurking here that knows this, is there any way to have OpenSSH deny a login when a user has key-based auth setup on their account? I never found a good way to take care of that; changing the shell, etc. is a bit awkward. Thanks, Charles -- Charles Sprickman spork@inch.com