Re: SSH package concerns...
On Tue, May 10, 2005 at 11:19:15AM -0400, Lennart Sorensen wrote:
> On Tue, May 10, 2005 at 10:09:59AM -0500, Pete Harlan wrote:
> > On Mon, May 09, 2005 at 10:16:24PM -0400, Adam Skutt wrote:
> > > Nathan Dragun wrote:
> > > > While setting up PAM in conjunction with SSH I included the following
> > > > line to deny access unless found in the following file:
> > > >
> > > > auth required pam_listfile.so sense=allow onerr=fail item=user
> > > > file=/etc/sshloginusers
> > > >
> > > > Which works, sort of.
> > > Don't use it. sshd(8) lets you deny and allow users via
> > > /etc/ssh/sshd_config.
> > >
> > > Reading the daemon documentation before doing something like this is
> > > always good idea.
> >
> > He didn't say there wasn't another way to do it, he said there was a
> > security hole.
>
> I believe SSH supports multiple types of authentication. If pam fails,
> it will use the next configured one. It's a feature of ssh.
Thanks, that is helpful.
> It isn't as if pam can disable ssh key logins either. Is that a
> security hole?
It would be nice if there were a way to have the pam module indicate,
"this failed, and that's final", as distinct from, "this failed so try
something else".
> It still requires a valid account and password to login.
True, but I imagine that if someone is using this feature then they
have some accounts they trust less than others. There are various
ways to go about restricting logins (including sshd's AllowUsers), but
the pam method seemed reasonable to me. Particularly because with PAM
you could use the same user list for any number of services, not just
sshd.
(And I don't understand why it would work intermittently, but that's
getting far afield.)
--Pete
Reply to: