From owner-freebsd-stable Sun Sep 29 8:11:16 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3CB2237B401 for ; Sun, 29 Sep 2002 08:11:15 -0700 (PDT) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id CAC4D43E4A for ; Sun, 29 Sep 2002 08:11:14 -0700 (PDT) (envelope-from nectar@nectar.cc) Received: by gw.nectar.cc (Postfix, from userid 1001) id 6AD4B3C; Sun, 29 Sep 2002 10:11:14 -0500 (CDT) Date: Sun, 29 Sep 2002 10:11:14 -0500 From: "Jacques A. Vidrine" To: Archie Cobbs Cc: freebsd-stable@freebsd.org Subject: Re: sshd_config vs. PAM Message-ID: <20020929151114.GD2853@hellblazer.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Archie Cobbs , freebsd-stable@freebsd.org References: <200209272135.g8RLZ3We005877@arch20m.dellroad.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200209272135.g8RLZ3We005877@arch20m.dellroad.org> User-Agent: Mutt/1.3.27i X-Url: http://www.celabo.org/ Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Sep 27, 2002 at 02:35:03PM -0700, Archie Cobbs wrote: > Yow! I was surprised to notice that setting these parameters: > > PasswordAuthentication no > PermitRootLogin without-password > > in /etc/ssh/sshd_config have absolutely NO effect! > > This is because now /etc/pam.conf seems to control everything (?) > > This seems to violate POLA in a very dangerous way. Nor is this > documented anywhere in the ssh man pages... in fact, they lie and > tell you that these options increase security. > > I recommend that we either detach sshd from PAM, or else stop > documenting and pretending that /etc/ssh/sshd_config actually > controls this stuff. As far as I know, stock OpenSSH-portable behaves the same with regard to PAM, except for some reason we use a different knob to affect it (ChallengeResponseAuthentication versus PAMAuthenticationViaKbdInt) and in portable in defaults to `no' while with ours it defaults to `yes'. The man page should be fixed. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message