Re: SSH package concerns...
On Tue, May 10, 2005 at 10:09:59AM -0500, Pete Harlan wrote:
> On Mon, May 09, 2005 at 10:16:24PM -0400, Adam Skutt wrote:
> > Nathan Dragun wrote:
> > > While setting up PAM in conjunction with SSH I included the following
> > > line to deny access unless found in the following file:
> > >
> > > auth required pam_listfile.so sense=allow onerr=fail item=user
> > > file=/etc/sshloginusers
> > >
> > > Which works, sort of.
> > Don't use it. sshd(8) lets you deny and allow users via
> > /etc/ssh/sshd_config.
> >
> > Reading the daemon documentation before doing something like this is
> > always good idea.
>
> He didn't say there wasn't another way to do it, he said there was a
> security hole.
I believe SSH supports multiple types of authentication. If pam fails,
it will use the next configured one. It's a feature of ssh. It isn't
as if pam can disable ssh key logins either. Is that a security hole?
Misconfiguring sshd doesn't mean it is insecure. It still requires a
valid account and password to login.
Len Sorensen
Reply to: