Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-security

From: Adrian CAPDEFIER <adriancapdefier@×××××××.ro>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] pam configuration for ssh
Date: Tue, 10 Aug 2004 10:44:21
Message-Id: 4118A854.1040308@digifin.ro
In Reply to: Re: [gentoo-security] pam configuration for ssh by Paul de Vrieze
1 Paul de Vrieze wrote:
2 > On Tuesday 10 August 2004 08:50, Adrian CAPDEFIER wrote:
3 >
4 >>Hello.
5 >>I'm trying to have my sshd use only key-based auth while still taking
6 >>advantages of the PAM modules.
7 >>My sshd_config is config quite right but pam modules overwrite some of
8 >>those settings that deny password login. How should I modify this file
9 >>
10 >>neuro root # cat /etc/pam.d/sshd
11 >>
12 >>auth required pam_unix.so nullok
13 >>auth required pam_shells.so
14 >>auth required pam_nologin.so
15 >>auth required pam_env.so
16 >>account required pam_unix.so
17 >>password required pam_cracklib.so difok=3 retry=3 minlen=8 \
18 >> dcredit=2 ocredit=2 use_authtok
19 >>password required pam_unix.so shadow md5
20 >>session required pam_unix.so
21 >>session required pam_limits.so
22 >>
23 >>I've shamelessy copied this from the gentoo security guide and, as it
24 >>was my understanding, it was supposed to deny password logins. Well it
25 >>doesn't. When I disable PAM in /etc/ssh/sshd_config, passwords are
26 >>disabled but as I said before I want to use PAM.
27 >>Some recommended reading on PAM would be nice, too :).
28 >
29 >
30 > What about just using:
31 > auth required pam_deny and nothing else for the auth service
32 >
33 > Paul
34 >
35 > ps. the password service should not be needed by ssh (it doesn't set
36 > passwords), so make it deny too.
37 >
38
39 Thank you, Paul! You helped me again :). That did the trick with
40 password logins.
41 I don't understand the p.s. though.
42 Who sets the passwords when remotely logged in?
43 I set password only to pam_deny.so and i was still able to change those
44 passwords so now my file looks like this (comments excluded)
45
46 neuro root # cat /etc/pam.d/sshd
47
48 auth required pam_deny.so
49 account required pam_unix.so
50 password required pam_deny.so
51 session required pam_unix.so
52 session required pam_limits.so
53
54
55 --
56
57 Adi
58
59 --
60 gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] pam configuration for ssh Paul de Vrieze <pauldv@g.o>
Report Message
Find on MARC Find on Google Groups