Re: sshd open to everyone if PAM auth sufficient
From: Bill Unruh (unruh@physics.ubc.ca)Date: 04/10/02
- Next message: Dimitri Maziuk: "Re: Configuring sftp-server"
- Previous message: Sendmail Administrator Luke: "Error showing up in message log for ssh version 3.1"
- In reply to: Niccolo Rigacci: "sshd open to everyone if PAM auth sufficient"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: unruh@physics.ubc.ca (Bill Unruh) Date: 9 Apr 2002 22:16:20 GMT
In <a8v7d1$pvi$1@fe2.cs.interbusiness.it> "Niccolo Rigacci" <niccolo@texnet.it> writes:
]Package: ssh
]Version: 3.0.2p1-8
]I was playing with PAM, and I discovered something potentially
]dangerous. I changed the auth from "required" to "sufficient"
](in order to add - later - other PAM modules) in the PAM
]configuration file for ssh.
sufficient means the if it passes that item, then that is all that is
needed for entry. If it fails, then it is ignored, and the other items
are checked. With no other items of any note, you are letting people in.
required means that if that item fails, then authentication fails and
trhe suer is denied. If it succeeds, then other tests may be applied as
well.
Ie, you reasons for change are invalid. You should have left it as
required.
(required is logical and. sufficient is logical or.)
]auth required pam_nologin.so A
]auth sufficient pam_unix.so B
]auth required pam_env.so # [1] C
(A and C) or B
authenticates.
]account required pam_unix.so
]session required pam_unix.so
]session optional pam_lastlog.so # [1]
]session optional pam_motd.so # [1]
]session optional pam_mail.so standard noenv # [1]
]session required pam_limits.so
]password required pam_unix.so
- Next message: Dimitri Maziuk: "Re: Configuring sftp-server"
- Previous message: Sendmail Administrator Luke: "Error showing up in message log for ssh version 3.1"
- In reply to: Niccolo Rigacci: "sshd open to everyone if PAM auth sufficient"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
