Date: Fri, 23 Nov 2007 14:14:14 +0800 From: "Quan Qiu" <jackqq@gmail.com> To: freebsd-stable@freebsd.org Subject: Re: Software for distribution of configuration files and changes Message-ID: <53a565700711222214t7cc160bcq25769f9393d75081@mail.gmail.com> In-Reply-To: <20071123052155.GA721@eos.sc1.parodius.com> References: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAACAAAAAAAAAAiuboouUF6EKrT2uPks5M1AAAAAD7AgAAAPYFABAAAAAdMdDZF9ebRbtpiHRx6LqFAQAAAAA=@kmjeuro.com> <474325A0.7060802@gmail.com> <200711202315.lAKNFa4R012904@fire.js.berklix.net> <20071121002043.GA98340@eos.sc1.parodius.com> <53a565700711202145q3c1a8db5k8c0d41d7ad890405@mail.gmail.com> <EC7D0AEA-8151-45BC-B2C4-15B5E108F404@khera.org> <53a565700711221721v1eb695bcy507780fc3fc30eaa@mail.gmail.com> <20071123052155.GA721@eos.sc1.parodius.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Nov 23, 2007 1:21 PM, Jeremy Chadwick <koitsu@freebsd.org> wrote:
> > > > "ChallengeResponseAuthentication no" is also required to avoid sshd
> > > > accepting keyboard-interactive/pam.
>
> This affects all users, and not just root. This is probably not
> what you want.
Yes. But without PAM, sshd just prompts for password in a little different way.
PuTTY output:
PAM:
Using username "root".
Using keyboard-interactive authentication.
Password:
sshd:
Using username "root".
root@blahblah.blah's password:
And, what's worse, if the system is going down (in 5 minutes),
pam_nologin.so in /etc/pam.d/sshd
will kick you (non-root) out even if you have
ignorenologin
in your login class. While removing that line in PAM will
render the nologin feature useless for all users.
In other words, if a system uses PAM and forbids root login
using password, administrators (staff or wheel) have no way
to login again to stop the pending shutdown if they don't have
the root key at hand in a timely manner.
> And have you tried actually attempting to log in with root's password
> that way? I'm betting it doesn't work.
That really worked for me. I'm running RELENG_5. The cvsid for
/etc/pam.d/sshd is
# $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
sshd version:
OpenSSH_3.8.1p1 FreeBSD-20060930, OpenSSL 0.9.7e-p1 25 Oct 2004
My proof:
Using username "root".
Using keyboard-interactive authentication.
Password:
Last login: Fri Nov 23 09:14:27 2007 from 61.136.19.236
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 5.5-STABLE (JACKQQNAT) #6: Mon Nov 19 21:33:30 CST 2007
root@services [~] 13:51 Fri Nov 23
#cat /etc/pam.d/sshd
#
# $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
...
Without PAM:
Using username "root".
root@blahblah.blah's password:
Access denied
root@blahblah.blah's password:
--
Á (QIU Quan) <jackqq@gmail.com>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53a565700711222214t7cc160bcq25769f9393d75081>