1 |
On Tuesday 10 August 2004 08:50, Adrian CAPDEFIER wrote: |
2 |
> Hello. |
3 |
> I'm trying to have my sshd use only key-based auth while still taking |
4 |
> advantages of the PAM modules. |
5 |
> My sshd_config is config quite right but pam modules overwrite some of |
6 |
> those settings that deny password login. How should I modify this file |
7 |
> |
8 |
> neuro root # cat /etc/pam.d/sshd |
9 |
> |
10 |
> auth required pam_unix.so nullok |
11 |
> auth required pam_shells.so |
12 |
> auth required pam_nologin.so |
13 |
> auth required pam_env.so |
14 |
> account required pam_unix.so |
15 |
> password required pam_cracklib.so difok=3 retry=3 minlen=8 \ |
16 |
> dcredit=2 ocredit=2 use_authtok |
17 |
> password required pam_unix.so shadow md5 |
18 |
> session required pam_unix.so |
19 |
> session required pam_limits.so |
20 |
> |
21 |
> I've shamelessy copied this from the gentoo security guide and, as it |
22 |
> was my understanding, it was supposed to deny password logins. Well it |
23 |
> doesn't. When I disable PAM in /etc/ssh/sshd_config, passwords are |
24 |
> disabled but as I said before I want to use PAM. |
25 |
> Some recommended reading on PAM would be nice, too :). |
26 |
|
27 |
What about just using: |
28 |
auth required pam_deny and nothing else for the auth service |
29 |
|
30 |
Paul |
31 |
|
32 |
ps. the password service should not be needed by ssh (it doesn't set |
33 |
passwords), so make it deny too. |
34 |
|
35 |
-- |
36 |
Paul de Vrieze |
37 |
Gentoo Developer |
38 |
Mail: pauldv@g.o |
39 |
Homepage: http://www.devrieze.net |