Re: core dump with openssh 3.8 on HP11 with PAM

• Previous message: Darren Tucker: "Re: X11 forwarding"
• In reply to: Dan Oviatt: "Re: core dump with openssh 3.8 on HP11 with PAM"
• Next in thread: Dan Oviatt: "Re: core dump with openssh 3.8 on HP11 with PAM"
• Reply: Dan Oviatt: "Re: core dump with openssh 3.8 on HP11 with PAM"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 13 Mar 2004 10:45:31 +0000 (UTC)

In article <a9042b00.0403121157.76270462@posting.google.com>,
Dan Oviatt <oviattd@mont.disa.mil> wrote:
>> http://bugzilla.mindrot.org/show_bug.cgi?id=808
>
>Well thats what I get for not checking Bugzilla first.......
>
>Forgive my HP ignorance, but the way I understand it, using the
>"keyboard-interactive" method means you are letting PAM do the
>authentication. Where if you leave PasswordAuthentication set to yes,
>then you are kind of bypassing PAM. Is that why keyboard-interactive
>is the "preferred" method for use with PAM?

Yes. You can authenticate with password (ie the contents of /etc/passwd
and/or /etc/shadow) and still have the PAM account and session modules
run, but if you want to actually authenticate via PAM with 3.7p1 and up,
you need to use keyboard-interactive.

>The whole reason why I
>even ask is that our security documentation stipulates that they want
>ChallengeResponseAuthentication set to no, which shuts off
>keyboard-interactive authentications. Well if you do that and have
>PasswordAuthentication also set to no, then the user cant even login
>because all the authentications have been shut off (we dont use public
>key). Is there any valid (security) reason to say
>ChallengeResponseAuthentication must be set to no, or are the security
>people worrying about something that no longer applies to the current
>versions of OpenSSH?

They're probably referring to this:
http://www.openssh.com/txt/preauth.adv

In general, disabling stuff you don't need is good policy, but for PAM
you now need ChallengeResponseAuthentication enabled.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

• Previous message: Darren Tucker: "Re: X11 forwarding"
• In reply to: Dan Oviatt: "Re: core dump with openssh 3.8 on HP11 with PAM"
• Next in thread: Dan Oviatt: "Re: core dump with openssh 3.8 on HP11 with PAM"
• Reply: Dan Oviatt: "Re: core dump with openssh 3.8 on HP11 with PAM"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Security Flaw in pam_per_user Module ... There is a security flaw in the pam_per_user PAM module that can allow ... someone to authenticate as any user on the system, ... foo ... (Bugtraq) [UNIX] Perl Module pam_per_user Authentication Bypassing ... Get your security news from a reliable source. ... There is a security flaw in the pam_per_user PAM module that can allow ... user to an alternate PAM service name that should be used to authenticate ... foo ... (Securiteam) Re: [ok] [Full-Disclosure] RE: [Full-Disclosure]MS should re-write code with security in mind ... almost all Windows users demand backward compatibility. ... > security upgrades available on MS's site. ... > and authenticate all mail transfer. ... (Full-Disclosure) Re: Security Logging in ADAM ... How does an anonymous login authenticate anyone? ... If a bind was performed against ADAM, there should be a matching audit event ... in the security event log on the ADAM machine assuming that logon events are ... (microsoft.public.windows.server.active_directory) Re: IAS & Fully-Qualified-User-Name ... Svyatoslav Pidgorny, MS MVP - Security, MCSE -= F1 is the key =- "Bryan Hunt" wrote in message ... > Logon Failure: ... > Caller User Name: MANAGE1$ ... >>> None of them will authenticate the user. ... (microsoft.public.security)