[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: OpenSSH and PAM



On Mon, 11 Sep 2000, Ethan Benson wrote:

> On Mon, Sep 11, 2000 at 09:18:05PM -0500, Michael A. Dietz wrote:
> > > RSA auth bypasses a lot of the normal account locking features). Problem
> > > is, it got axed sometime after as "the wrong place for unix account
> > > verification".
> > OpenSSH 2.2.0p1 supports ssh1 and 2 protocols.  It also properly prompts
> > for the password in the LATEST release assuming you have set a password
> > expiration date.
> > 
> > As for prompting for a password even with RSA authentication, this would
> > severly break configurations using ssh to copy files and run scripts
> > automatically (without requiring a password).  What if your cron'd remote
> > mirroring scp fails (for 2 days straight) because your password expired on
> > a Saturday and it prompts you to change it even though you use RSA key
> > authentication for your scripts ? I can think of many more examples where
> > the above would be unwanted.
> 
> scp does not create an interactive session, so it should be possible
> for ssh to eschew password change enforcment for non-interactive sessions.
> 
> this would allow users to avoid it by logging in by ssh host /bin/bash
> but if they are that stubborn they will find other ways to get out of
> changing their password.

This sounds acceptable, most users don't even know how to change there
password manually (this is why I want it to prompt automatically) let alone
discover this hack.

> > Maybe OpenSSH should allow you to configure how it controls RSA
> > authentication and pam (strict or relaxed), but it shouldn't force strict
> > checking that would break ssh's ability to run automatically.  
> 
> seems to me it would make sense to move the RSA authentication into a
> PAM module, stack it in as a sufficient.

This would also be a good solution. What is involved in creating a PAM
module ? How easy is it ?

-- 
Paul Faure					paul@paulfaure.com
Carleton University Systems Engineer 3rd Year	paul@porkchop.org
Engsoc Admin/BOG Technical Director		paul@engsoc.org





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []