[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Putty 0.45 vs. SSH Login

* Tim van Erven <tripudium@chello.nl> [020505 19:21]:
> On Sun, May 05, 2002 at 12:15:49PM -0300, Henrique de Moraes Holschuh <hmh@debian.org> wrote:
> > The best bet would have to move the delay out of PAM (always using nodelay
> > in the ssh PAM file) into ssh, I suppose.
> I don't know much about OpenSSH or PAM internals, but how about adding
> an option to PAM to make authentication always fail for root and move
> all this authentication stuff into PAM.
> [...] it makes sense to keep
> authentication centralized as much as possible.

I rather think ssh should check also earlier for root
and not even call PAM when root login is not permitted
and someone tries to log in as root.
While I also think authentication should be centralised, I
prefer security checks to be at as much places as reasoable,
and in my system forbidding root-login is a mean for security.
It just makes to sleep better if you know, that even if pam
gots confused, they get no directly into root. (I know, ssh to
user and su will do it either, but a security
measure more, that does not hurt, is always a good thing)

	Bernhard R. Link
The man who trades freedom for security does not deserve 
nor will he ever receive either. (Benjamin Franklin)

To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: