Re: SSH package concerns...

[lsorense@csclub.uwaterloo.ca (Lennart Sorensen)]

On Tue, May 10, 2005 at 10:09:59AM -0500, Pete Harlan wrote:
> On Mon, May 09, 2005 at 10:16:24PM -0400, Adam Skutt wrote:
> > Nathan Dragun wrote:
> > > While setting up PAM in conjunction with SSH I included the following
> > > line to deny access unless found in the following file:
> > > 
> > > auth    required        pam_listfile.so sense=allow onerr=fail item=user
> > > file=/etc/sshloginusers
> > > 
> > > Which works, sort of.
> > Don't use it.  sshd(8) lets you deny and allow users via
> > /etc/ssh/sshd_config.
> > 
> > Reading the daemon documentation before doing something like this is
> > always good idea.
> 
> He didn't say there wasn't another way to do it, he said there was a
> security hole.

I believe SSH supports multiple types of authentication.  If pam fails,
it will use the next configured one.  It's a feature of ssh.  It isn't
as if pam can disable ssh key logins either.  Is that a security hole?
Misconfiguring sshd doesn't mean it is insecure.  It still requires a
valid account and password to login.

Len Sorensen