On Mon, May 06, 2002 at 03:52:21PM +0200, Tim van Erven wrote: > On Mon, May 06, 2002 at 03:08:45PM +0200, "Bernhard R. Link" <[EMAIL > PROTECTED]> wrote: > I disagree. By that reasoning it would be even better if OpenSSH > double-checked all of PAM's work. That would add bloat to ssh and > possibly even introduce new security problems. If you're going to rely > on PAM, you should rely on PAM.
Does sshd even use PAM at all when SSH authentication methods other than password are used? For this to be a problem, someone would have to get their public key into root's authorized_keys. However, the situation could occur, and sshd obviously must not allow root logins when its config file says not to. (Maybe there are keys lying around, but you want to cut off root logins...) Offloading this job to PAM is a good idea, except that it's convenient to have it built in to ssh. I know what PAM is, but I've hardly ever touched a PAM config file. If I would have had to learn PAM to disable root logins, I might not have gone to the trouble of doing it. It's just my home computer; Anything more than script kiddies is unlikely. Having a useful security feature that's easy to use is a good idea, IMHO, since it will make a significant number of computers significantly more secure. (A lot of people are not very careful about security, so making it easy to implement things that are useful for most people is a good thing.) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
