[linux-security] Re: sshd and PAM [summary]

["Rafael J. Wysocki" <rafael llinuxsite czacki waw ids edu pl>]

-----BEGIN PGP SIGNED MESSAGE-----

	Hi,

I've got several replies, thank you for them.  Let me summarize:

o Many people say there is a PAMified version of ssh available at

	ftp://ftp.replay.com/pub/crypto/redhat/SRPMS (the source)
	ftp://ftp.replay.com/pub/crypto/redhat/i386  (Intel binaries)

  (there are analogous paths for the other architectures).  The packages
  are made by Jan "Yenya" Kasprzak <kas eunet cz>.  Of course, the mirrors
  of ftp.replay.com contain these RPMs as well.

o John A. Martin <jam jamux com> says there are PAMified ssh packages at

	ftp://ftp.fi.muni.cz/pub/ssh/local-fi.muni.cz/linux/

o Andy McRory <amacc mailer org> says there is a patch for ssh-1.2.25 at

	ftp://ftp.dhp.com/pub/linux/dhp-dist

o Some people say the "original" sshd does not have PAM support built in (not
  surprising) and it should be patched.  The patch can be taken from the
  SRPM at ftp.replay.com, for example (see above).

I have downloaded the RPMs from ftp.replay.com and done some (small) tests.

I've installed the binaries and configs/docs from ssh-1.2.26-1i.i386.rpm
and ssh-server-1.2.26-1i.i386.rpm and found that the stuff works with PAM
as long as the password authentication is used.  However, if a client
uses RSA authentication, many PAM restrictions can be evaded.  For example,
the RSA-authenticated client is always allowed to log in independently
of the PAM settings.  Similarly, if I turn pam_limits.so on and set
maxlogins (in /etc/security/limits.conf) to, say, 2 for everyone, the
RSA-authenticated client is allowed to log in as many times as (s)he wants
(if the same client is password-authenticated, the limit takes effect, of
course).  There are some other useful PAM modules which I suspect may not
work with this version of (PAMified) sshd.  I'll verify this in a few days,
I hope.

For me, the conclusion is that if you need sshd which supports PAM, the
packages from ftp.replay.com may be useful, although you shouldn't expect
everything to work like you want it to.

	Regards

		Rafael

- --

My public PGP key is available at http://www.czacki.waw.ids.edu.pl/~rafael

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQB1AwUBNhupZMbfgppnl6DpAQGmlQL5AZ0HsjIkAUzsX/DohXYOj35BSCBrAFcU
mTntAJpGYA+4r68FZV417NSxyLp158AvDsRpYVmAN6cVwsm9WqLPNbLV3sSfhEBk
F0DKynn+gTQoIMlg1dsXa5N02iq2lttA
=wJG6
-----END PGP SIGNATURE-----

[mod: It seems that the ssh-password authentification is PAM-ified,
but the RSA-authentification is not. SSH probably doesn't even call
PAM in the case that the RSA-authentification works. The current
implementation provides the PAM-features that go with passwords
(e.g. being able to switch to shadow passwords), as long as you use
passwords, but not with the RSA authentification.  Still some work to
be done: take the ssh-RSA stuff and make it into a PAM module..... -- REW]