El Miércoles, 18 de Mayo de 2005 14:58, Daniel O'Connor escribió: > I have used pam_ssh before, and I have the following in > /etc/pam.d/system :- # auth > auth sufficient pam_opie.so no_warn > no_fake_prompts auth requisite pam_opieaccess.so > no_warn allow_local #auth sufficient pam_krb5.so > no_warn try_first_pass #auth sufficient > pam_ldap.so no_warn try_first_pass auth > sufficient pam_ssh.so no_warn try_first_pass auth > required pam_unix.so no_warn > try_first_pass nullok > > (ie what the committed version suggests). > > Just recently (last week or so) I have noticed that pam_ssh will let > me login with _any_ password (empty, or just plain wrong)! :( > > If I get the passphrase wrong I login, but the key is not added to > the agent (at least something is right :) It didn't used to do this > however.. > > I just found that I had made a id_rsa file for testing purposes with > no passphrase on it. While that was a little dumb it seems very odd > that pam_ssh would let me in with any password - I think it would > make more sense to reject keys with no passphrase for authenitcation > (with say a nullok option). > > I think I'll work on a patch. > > Basically this is a heads up for anyone else that uses pam_ssh to be > a bit careful :)
I use this, but not for login/auth, only for get the agent running with the keys decripted (same passwd used). -- josemi --- /etc/pam.d/login --- # # $FreeBSD: src/etc/pam.d/login,v 1.16 2003/06/14 12:35:05 des Exp $ # # PAM configuration for the "login" service # # auth auth required pam_nologin.so no_warn auth sufficient pam_self.so no_warn auth include system auth optional pam_ssh.so use_first_pass # account account requisite pam_securetty.so account include system # session session include system session optional pam_ssh.so want_agent # password password include system _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
