On Jan 10, 2011, at 5:36 PM, Garance A Drosihn wrote: > On 1/8/11 4:33 PM, Levan, Jerry wrote: >> Grumble, >> >> sshd_config lies... >> >> Checking the security log shows that ssh is using PAM even >> though sshd_config had >> >> #UsePAM no >> >> I had to uncomment the above line and reboot to get >> password authentication killed. >> >> ....Hold the phone... >> I just checked another one of my macs and the sshd_config file >> is *different* from the one on the server! They are running the >> same OS version and level. >> >> My other mac has >> #UsePAM yes >> and more discussion prior to the directive. > > Note that the distributed sshd_config really is just a file > of comments. The comments are supposed to match what options > are compiled into that version of sshd, but there's nothing > to make sure that the comments match the binary. > > Thus it isn't too surprising that some comments might not > match the version of sshd which is running.
All true, but no reason why a sysadmin should complain of sshd "lying". It's a simple matter to just perform a `sshd -T` and see exactly what is and isn't configured. A sysadmin should be expected to read the man page at least, especially if it's not behaving as they expect. Blaming software for your own errors isn't helpful. Running `sshd -T` on one of my OSXS systems (which may not match yours) reveals: Could not load host key: /etc/ssh_host_rsa_key Could not load host key: /etc/ssh_host_dsa_key port 22 protocol 2 addressfamily any listenaddress [::]:22 listenaddress 0.0.0.0:22 usepam 1 serverkeybits 1024 logingracetime 120 keyregenerationinterval 3600 x11displayoffset 10 maxauthtries 6 maxsessions 10 clientaliveinterval 0 clientalivecountmax 3 permitrootlogin yes ignorerhosts yes ignoreuserknownhosts no rhostsrsaauthentication no hostbasedauthentication no hostbasedusesnamefrompacketonly no rsaauthentication yes pubkeyauthentication yes kerberosauthentication yes kerberosorlocalpasswd yes kerberosticketcleanup yes gssapiauthentication yes gssapicleanupcredentials yes passwordauthentication no kbdinteractiveauthentication yes challengeresponseauthentication yes printmotd yes printlastlog yes x11forwarding no x11uselocalhost yes strictmodes yes tcpkeepalive yes permitemptypasswords no permituserenvironment no uselogin no compression delayed gatewayports no usedns yes allowtcpforwarding yes useprivilegeseparation yes pidfile /var/run/sshd.pid xauthlocation /usr/X11R6/bin/xauth authorizedkeysfile .ssh/authorized_keys authorizedkeysfile2 .ssh/authorized_keys2 loglevel INFO syslogfacility AUTHPRIV hostkey /etc/ssh_host_rsa_key hostkey /etc/ssh_host_dsa_key subsystem sftp /usr/libexec/sftp-server maxstartups 10:100:10 permittunnel no permitopen any Which would indicate there would be a lot of authentication types that would need disabled other than just PAM and passwordauthentication if you wanted to just have keys only enabled. And configuring this system wide may not be a good idea as it could lock out other functions (such as Open Directory master/slave operations). It would be better to configure for specific users accordingly. I'd strongly suggest the original poster review the sshd and ssh docs found in the man pages, online at openssh.com and, since it seems there's a lot being missed in expected behavior, I'd also highly suggest reading the "snail book" from O'Reilly. You can get a trial subscription to their excellent Safari Online Book Service and have the opportunity to read it in depth during the trial. Click the link on the page below. http://oreilly.com/catalog/9780596008956 -d ------------------------------------------------------------------------ Dan Shoop [email protected] GoogleVoice: 1-646-402-5293 aim: iWiring twitter: @colonelmode _______________________________________________ MacOSX-admin mailing list [email protected] http://www.omnigroup.com/mailman/listinfo/macosx-admin
