| 1 |
On Tuesday 10 August 2004 08:50, Adrian CAPDEFIER wrote: |
| 2 |
> Hello. |
| 3 |
> I'm trying to have my sshd use only key-based auth while still taking |
| 4 |
> advantages of the PAM modules. |
| 5 |
> My sshd_config is config quite right but pam modules overwrite some of |
| 6 |
> those settings that deny password login. How should I modify this file |
| 7 |
> |
| 8 |
> neuro root # cat /etc/pam.d/sshd |
| 9 |
> |
| 10 |
> auth required pam_unix.so nullok |
| 11 |
> auth required pam_shells.so |
| 12 |
> auth required pam_nologin.so |
| 13 |
> auth required pam_env.so |
| 14 |
> account required pam_unix.so |
| 15 |
> password required pam_cracklib.so difok=3 retry=3 minlen=8 \ |
| 16 |
> dcredit=2 ocredit=2 use_authtok |
| 17 |
> password required pam_unix.so shadow md5 |
| 18 |
> session required pam_unix.so |
| 19 |
> session required pam_limits.so |
| 20 |
> |
| 21 |
> I've shamelessy copied this from the gentoo security guide and, as it |
| 22 |
> was my understanding, it was supposed to deny password logins. Well it |
| 23 |
> doesn't. When I disable PAM in /etc/ssh/sshd_config, passwords are |
| 24 |
> disabled but as I said before I want to use PAM. |
| 25 |
> Some recommended reading on PAM would be nice, too :). |
| 26 |
|
| 27 |
What about just using: |
| 28 |
auth required pam_deny and nothing else for the auth service |
| 29 |
|
| 30 |
Paul |
| 31 |
|
| 32 |
ps. the password service should not be needed by ssh (it doesn't set |
| 33 |
passwords), so make it deny too. |
| 34 |
|
| 35 |
-- |
| 36 |
Paul de Vrieze |
| 37 |
Gentoo Developer |
| 38 |
Mail: pauldv@g.o |
| 39 |
Homepage: http://www.devrieze.net |
Archives