sshd open to everyone if PAM auth sufficient

• Next message: JTH: "scp issues / problems"
• Previous message: Steve Sayler: "error."
• Next in thread: Bill Unruh: "Re: sshd open to everyone if PAM auth sufficient"
• Reply: Bill Unruh: "Re: sshd open to everyone if PAM auth sufficient"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Niccolo Rigacci" <niccolo@texnet.it>
Date: Tue, 9 Apr 2002 19:08:59 +0200

Package: ssh
Version: 3.0.2p1-8

I was playing with PAM, and I discovered something potentially
dangerous. I changed the auth from "required" to "sufficient"
(in order to add - later - other PAM modules) in the PAM
configuration file for ssh.

With this configuration everyone is able to login from remote
as any user simply supplying random chars as the password!

As yu can see from the log the PAM_unix fails, but sshd accepts
the connection.

Help me to understand what it is happening.

System: Debian GNU/Linux (woody)
OpenSSH 3.0.2p1-8
 libpam-modules 0.72-35

Niccolo

/var/log/auth.log
--------------------------------------
Apr 9 18:46:48 pigbox PAM_unix[30697]: authentication failure; (uid=0) ->
root for ssh service
Apr 9 18:46:48 pigbox sshd[30697]: Accepted password for root from
195.110.109.2 port 4309
Apr 9 18:46:48 pigbox PAM_unix[30697]: (ssh) session opened for user root
by (uid=0)

/etc/pam.d/ssh
--------------------------------------
#%PAM-1.0
auth required pam_nologin.so
auth sufficient pam_unix.so
auth required pam_env.so # [1]
account required pam_unix.so
session required pam_unix.so
session optional pam_lastlog.so # [1]
session optional pam_motd.so # [1]
session optional pam_mail.so standard noenv # [1]
session required pam_limits.so
password required pam_unix.so

• Next message: JTH: "scp issues / problems"
• Previous message: Steve Sayler: "error."
• Next in thread: Bill Unruh: "Re: sshd open to everyone if PAM auth sufficient"
• Reply: Bill Unruh: "Re: sshd open to everyone if PAM auth sufficient"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: sshd open to everyone if PAM auth sufficient ... I changed the auth from "required" to "sufficient" ... ](in order to add - later - other PAM modules) in the PAM ... ]configuration file for ssh. ... If it fails, then it is ignored, and the other items ... (comp.security.ssh) sshd configuration after mergemaster ... all of my configuration seems to have ... carried over and is working perfectly, with the exception of ssh. ... from logging in via ssh as "root". ... I have not used PAM before. ... (freebsd-questions) Re: SSH authenticate root and nonroot user ... On February 3, 2004 05:04 am, Stuart Sears wrote: ... >> I had generated a key with ssh password for user root, ... >> user root only authenticate with the key, not with user and unix password ... IPtables and PAM and TCPwrappers creates a very thick layered authentication ... (RedHat) Re: SSH pubkey or password based on user group ... >> What I was trying to do is not to allow users that are in root ... >> key while every other user can choose whether they will login using ... >> pam but I couldn't find any module that will have my job done. ... AN> than ssh. ... (comp.security.ssh) Re: blocking ssh Root Logins ... >>still being able to ssh in as root. ... > configure PAM for ssh to deny root logins. ... (Debian-User)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint