1 |
Paul de Vrieze wrote: |
2 |
> On Tuesday 10 August 2004 08:50, Adrian CAPDEFIER wrote: |
3 |
> |
4 |
>>Hello. |
5 |
>>I'm trying to have my sshd use only key-based auth while still taking |
6 |
>>advantages of the PAM modules. |
7 |
>>My sshd_config is config quite right but pam modules overwrite some of |
8 |
>>those settings that deny password login. How should I modify this file |
9 |
>> |
10 |
>>neuro root # cat /etc/pam.d/sshd |
11 |
>> |
12 |
>>auth required pam_unix.so nullok |
13 |
>>auth required pam_shells.so |
14 |
>>auth required pam_nologin.so |
15 |
>>auth required pam_env.so |
16 |
>>account required pam_unix.so |
17 |
>>password required pam_cracklib.so difok=3 retry=3 minlen=8 \ |
18 |
>> dcredit=2 ocredit=2 use_authtok |
19 |
>>password required pam_unix.so shadow md5 |
20 |
>>session required pam_unix.so |
21 |
>>session required pam_limits.so |
22 |
>> |
23 |
>>I've shamelessy copied this from the gentoo security guide and, as it |
24 |
>>was my understanding, it was supposed to deny password logins. Well it |
25 |
>>doesn't. When I disable PAM in /etc/ssh/sshd_config, passwords are |
26 |
>>disabled but as I said before I want to use PAM. |
27 |
>>Some recommended reading on PAM would be nice, too :). |
28 |
> |
29 |
> |
30 |
> What about just using: |
31 |
> auth required pam_deny and nothing else for the auth service |
32 |
> |
33 |
> Paul |
34 |
> |
35 |
> ps. the password service should not be needed by ssh (it doesn't set |
36 |
> passwords), so make it deny too. |
37 |
> |
38 |
|
39 |
Thank you, Paul! You helped me again :). That did the trick with |
40 |
password logins. |
41 |
I don't understand the p.s. though. |
42 |
Who sets the passwords when remotely logged in? |
43 |
I set password only to pam_deny.so and i was still able to change those |
44 |
passwords so now my file looks like this (comments excluded) |
45 |
|
46 |
neuro root # cat /etc/pam.d/sshd |
47 |
|
48 |
auth required pam_deny.so |
49 |
account required pam_unix.so |
50 |
password required pam_deny.so |
51 |
session required pam_unix.so |
52 |
session required pam_limits.so |
53 |
|
54 |
|
55 |
-- |
56 |
|
57 |
Adi |
58 |
|
59 |
-- |
60 |
gentoo-security@g.o mailing list |