[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: OpenSSH and PAM

On Mon, Sep 11, 2000 at 09:18:05PM -0500, Michael A. Dietz wrote:
> > RSA auth bypasses a lot of the normal account locking features). Problem
> > is, it got axed sometime after as "the wrong place for unix account
> > verification".
> OpenSSH 2.2.0p1 supports ssh1 and 2 protocols.  It also properly prompts
> for the password in the LATEST release assuming you have set a password
> expiration date.
> As for prompting for a password even with RSA authentication, this would
> severly break configurations using ssh to copy files and run scripts
> automatically (without requiring a password).  What if your cron'd remote
> mirroring scp fails (for 2 days straight) because your password expired on
> a Saturday and it prompts you to change it even though you use RSA key
> authentication for your scripts ? I can think of many more examples where
> the above would be unwanted.

scp does not create an interactive session, so it should be possible
for ssh to eschew password change enforcment for non-interactive sessions.

this would allow users to avoid it by logging in by ssh host /bin/bash
but if they are that stubborn they will find other ways to get out of
changing their password.

> Maybe OpenSSH should allow you to configure how it controls RSA
> authentication and pam (strict or relaxed), but it shouldn't force strict
> checking that would break ssh's ability to run automatically.  

seems to me it would make sense to move the RSA authentication into a
PAM module, stack it in as a sufficient.

Ethan Benson

Attachment: pgp00002.pgp
Description: PGP signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []