[Bug 165919] Review Request: pam_ssh Pluggable Authentication Module for ssh
bugzilla at redhat.com
bugzilla at redhat.com
Tue Aug 16 11:41:34 UTC 2005
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: Review Request: pam_ssh Pluggable Authentication Module for ssh
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=165919
------- Additional Comments From dmitry at butskoy.name 2005-08-16 07:41 EST -------
Patrice,
As there is a "stand-alone" patch (pam_ssh-1.91-getpwnam.patch), you can now
just use the session phase for your remote ssh login.
It was impossible with the current upstream version, because it does not allow
to use the session phase separately from the auth phase. (Typically., SSH keys
are used for remote ssh login authentication, not pam auth).
Now you can just use /etc/pam.d/sshd as:
#%PAM-1.0
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_ssh.so
(Make sure sshd`s option "UsePrivilegeSeparation" is set to "no", IMHO).
As you see, there is no more necessity to "cat /var/run/pam_ssh/<user>" by the
unprivileged user.
Does this way satisfy you?
Is there any other practical cases where the files should be user-readable? If
not, let`s keep the present restrictive variant. If somebody will complain, we
shall change it at the next updating.
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
More information about the fedora-extras-list
mailing list