[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: OpenSSH and PAM



On Mon, 11 Sep 2000, Ben Collins wrote:

> On Mon, Sep 11, 2000 at 01:30:31PM -0400, Paul Nicholas Faure wrote:
> > Does OpenSSH support PAM fully ?
> > OpenSSH does not prompt the user for a new password if it has expired. It
> > simply says "Warning: You password has expired, please change it now".
> > 
> > My /etc/pam.d/sshd file is:
> > auth       required     /lib/security/pam_securetty.so
> > auth       required     /lib/security/pam_unix.so shadow nullok
> > auth       required     /lib/security/pam_nologin.so
> > account    required     /lib/security/pam_unix.so
> > password   required     /lib/security/pam_cracklib.so retry=3
> > password   required     /lib/security/pam_unix.so shadow nullok use_authtok nis
> > session    required     /lib/security/pam_unix.so
> > session    optional     /lib/security/pam_console.so
> > 
> > My /etc/pam.d/login file is the same as /etc/pam.d/sshd. And telnet
> > properly prompts me for a password.
> 
> I had a patch for OpenSSH 1 that got accepted upstream, and allowed it to
> check PAM session and account, even during RSA authentication (currently
> RSA auth bypasses a lot of the normal account locking features). Problem
> is, it got axed sometime after as "the wrong place for unix account
> verification".
OpenSSH 2.2.0p1 supports ssh1 and 2 protocols.  It also properly prompts
for the password in the LATEST release assuming you have set a password
expiration date.

As for prompting for a password even with RSA authentication, this would
severly break configurations using ssh to copy files and run scripts
automatically (without requiring a password).  What if your cron'd remote
mirroring scp fails (for 2 days straight) because your password expired on
a Saturday and it prompts you to change it even though you use RSA key
authentication for your scripts ? I can think of many more examples where
the above would be unwanted.

Maybe OpenSSH should allow you to configure how it controls RSA
authentication and pam (strict or relaxed), but it shouldn't force strict
checking that would break ssh's ability to run automatically.  
   
> IMO, this is a serious lack in OpenSSH's (and even fsecure's Unix sshd)
> functionality.
> 
> 

----------------
Running on Linux 2.4
Michael A. Dietz
mad099@dietznet.net





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []