Re: Software for distribution of configuration files and changes

Thu, 22 Nov 2007 23:51:51 -0800 

On Nov 23, 2007 1:21 PM, Jeremy Chadwick <[EMAIL PROTECTED]> wrote:
> > > > "ChallengeResponseAuthentication no" is also required to avoid sshd
> > > > accepting keyboard-interactive/pam.
>
> This affects all users, and not just root.  This is probably not
> what you want.

Yes. But without PAM, sshd just prompts for password in a little different way.
PuTTY output:

PAM:

Using username "root".
Using keyboard-interactive authentication.
Password:


sshd:

Using username "root".
[EMAIL PROTECTED]'s password:


And, what's worse, if the system is going down (in 5 minutes),
  pam_nologin.so in /etc/pam.d/sshd
will kick you (non-root) out even if you have
  ignorenologin
in your login class. While removing that line in PAM will
render the nologin feature useless for all users.

In other words, if a system uses PAM and forbids root login
using password, administrators (staff or wheel) have no way
to login again to stop the pending shutdown if they don't have
the root key at hand in a timely manner.



> And have you tried actually attempting to log in with root's password
> that way?  I'm betting it doesn't work.

That really worked for me. I'm running RELENG_5. The cvsid for
/etc/pam.d/sshd is
# $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
sshd version:
OpenSSH_3.8.1p1 FreeBSD-20060930, OpenSSL 0.9.7e-p1 25 Oct 2004


My proof:

Using username "root".
Using keyboard-interactive authentication.
Password:
Last login: Fri Nov 23 09:14:27 2007 from 61.136.19.236
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
        The Regents of the University of California.  All rights reserved.

FreeBSD 5.5-STABLE (JACKQQNAT) #6: Mon Nov 19 21:33:30 CST 2007

[EMAIL PROTECTED] [~] 13:51 Fri Nov 23
#cat /etc/pam.d/sshd
#
# $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
...


Without PAM:

Using username "root".
[EMAIL PROTECTED]'s password:
Access denied
[EMAIL PROTECTED]'s password:


-- 
裘�� (QIU Quan) <[EMAIL PROTECTED]>

_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to