Re: PermitRootLogin without-password and UsePAM yes doesn't work
From: Darren Tucker (dtucker_at_dodgy.net.au)
Date: 11/27/04
- Previous message: Mike Zulauf: "weird ssh problem under OS X 10.3.6"
- In reply to: Hans: "PermitRootLogin without-password and UsePAM yes doesn't work"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 27 Nov 2004 03:37:55 +0000 (UTC)
In article <1ea95d2e.0411250135.51de0572@posting.google.com>,
Hans <hans753@hotmail.com> wrote:
>I'm using openSSH 3.8.p1 on SuSE Linux Enterprise Sever 9 (SLES 9).
>
>I've set the following in the sshd_config:
>PermitRootLogin without-password
>UsePAM yes
>
>=> I shouldn't be able to login as root with a password, but it works:
>Logfile:
>Accepted keyboard-interactive/pam for root from ::ffff:xxx.xxx.xxx.xxx
>port 4108 ssh2
>From a protocol standpoint, that's not "password" authentication, it's
keyboard-interactive via PAM. Now it happens that PAM uses a password,
but sshd has know way of knowing that, it could have been a S/Key, a
token or something.
The man page isn't all that clear about that in 3.8x, but it's a little
clearer in 3.9p1. At some point it would be good to extend
PermitRootLogin to allow a comma-separated list of auth methods or
something...
>If I set 'UsePAM no' everything works as expected.
>
>In future I' ve to use PAM to get LDAP authentication => what I' ve to
>do get it working.
Upgrade to 3.9p1 and disable ChallengeResponseAuthentication.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
- Previous message: Mike Zulauf: "weird ssh problem under OS X 10.3.6"
- In reply to: Hans: "PermitRootLogin without-password and UsePAM yes doesn't work"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
