From owner-freebsd-stable Mon Sep 30 4:19:57 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BEC7937B401 for ; Mon, 30 Sep 2002 04:19:55 -0700 (PDT) Received: from newnet.co.uk (newnet.co.uk [212.87.80.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id D120443E42 for ; Mon, 30 Sep 2002 04:19:54 -0700 (PDT) (envelope-from jamie@jamiesdomain.org.uk) Received: from BONG (perry-gw-nat1-eth1.router.trident-uk.co.uk [81.3.89.49]) by newnet.co.uk (8.12.3/8.12.3) with SMTP id g8UBJkkW064825; Mon, 30 Sep 2002 12:19:47 +0100 (BST) (envelope-from jamie@jamiesdomain.org.uk) Message-ID: <002e01c26873$3d717a50$3264a8c0@BONG> Reply-To: "Jamie Heckford" From: "Jamie Heckford" To: "Archie Cobbs" , References: <200209272135.g8RLZ3We005877@arch20m.dellroad.org> Subject: Re: sshd_config vs. PAM Date: Mon, 30 Sep 2002 12:19:21 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Newnet-MailScanner: Found to be clean Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I would very much like to see ssh completely detached from PAM, and have the PAM ties as an option you have to enable as opposed to it being the default. ----- Original Message ----- From: "Archie Cobbs" To: Sent: Friday, September 27, 2002 10:35 PM Subject: sshd_config vs. PAM > Yow! I was surprised to notice that setting these parameters: > > PasswordAuthentication no > PermitRootLogin without-password > > in /etc/ssh/sshd_config have absolutely NO effect! > > This is because now /etc/pam.conf seems to control everything (?) > > This seems to violate POLA in a very dangerous way. Nor is this > documented anywhere in the ssh man pages... in fact, they lie and > tell you that these options increase security. > > I recommend that we either detach sshd from PAM, or else stop > documenting and pretending that /etc/ssh/sshd_config actually > controls this stuff. > > -Archie > > __________________________________________________________________________ > Archie Cobbs * Packet Design * http://www.packetdesign.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > -- ____________________________________________________ Message scanned for viruses and dangerous content by and believed to be clean To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message