pam_ssh problems

• Previous message: Jamie Heckford: "Re: Low HDD tranfer rate with FreeBSD 5.3-Release"
• Next in thread: Jose M Rodriguez: "Re: pam_ssh problems"
• Reply: Jose M Rodriguez: "Re: pam_ssh problems"
• Reply: Daniel O'Connor: "Re: pam_ssh problems"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: freebsd-hackers@freebsd.org
Date: Wed, 18 May 2005 22:28:29 +0930

I have used pam_ssh before, and I have the following in /etc/pam.d/system :-
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ldap.so no_warn try_first_pass
auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok

(ie what the committed version suggests).

Just recently (last week or so) I have noticed that pam_ssh will let me
login with _any_ password (empty, or just plain wrong)! :(

If I get the passphrase wrong I login, but the key is not added to
the agent (at least something is right :) It didn't used to do this
however..

I just found that I had made a id_rsa file for testing purposes with no
passphrase on it. While that was a little dumb it seems very odd that
pam_ssh would let me in with any password - I think it would make
more sense to reject keys with no passphrase for authenitcation (with
say a nullok option).

I think I'll work on a patch.

Basically this is a heads up for anyone else that uses pam_ssh to be
a bit careful :)

-- 
Daniel O'Connor software and network engineer
for Genesis Software - http://www.gsoft.com.au
"The nice thing about standards is that there
are so many of them to choose from."
  -- Andrew Tanenbaum
GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C

• application/pgp-signature attachment: stored

• Previous message: Jamie Heckford: "Re: Low HDD tranfer rate with FreeBSD 5.3-Release"
• Next in thread: Jose M Rodriguez: "Re: pam_ssh problems"
• Reply: Jose M Rodriguez: "Re: pam_ssh problems"
• Reply: Daniel O'Connor: "Re: pam_ssh problems"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: Suggestions For The Passing of Passphrases ... communication which includes the login or password. ... or encrypt passwords, such as getting the guy a message that says Im ... sending you a passphrase but its ROT13'd ... (sci.crypt) Re: ssh no password problem ... Your DSA public key based authentication is working fine. ... being prompted for the passphrase to tyour DSA Key, not your login ... This is because you had given a passphrase during generation ... when I do ssh localhost, ... (Ubuntu) Re: Opening ports in my firewall ... >be sshing in from (or at least a group of possible machines). ... a shared key activated by a passphrase, ... bit of research on shell design, you can limit a login in any way you ... (comp.os.linux.security) Re: interacting with a shell script (ssh) ... Login without sending a password over the network by use of public/ ... then net/ssh is asking for the pass phrase althought it's given by ... option is not used as passphrase to open your private key. ... (comp.lang.ruby)