[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Putty 0.45 vs. SSH Login

On Mon, May 06, 2002 at 03:52:21PM +0200, Tim van Erven wrote:
> On Mon, May 06, 2002 at 03:08:45PM +0200, "Bernhard R. Link" <brl@pcpool00.mathematik.uni-freiburg.de> wrote:
> I disagree. By that reasoning it would be even better if OpenSSH
> double-checked all of PAM's work. That would add bloat to ssh and
> possibly even introduce new security problems. If you're going to rely
> on PAM, you should rely on PAM.

 Does sshd even use PAM at all when SSH authentication methods other than
password are used?  For this to be a problem, someone would have to get
their public key into root's authorized_keys.  However, the situation could
occur, and sshd obviously must not allow root logins when its config file
says not to.  (Maybe there are keys lying around, but you want to cut off
root logins...)

 Offloading this job to PAM is a good idea, except that it's convenient to
have it built in to ssh.  I know what PAM is, but I've hardly ever touched a
PAM config file.  If I would have had to learn PAM to disable root logins, I
might not have gone to the trouble of doing it.  It's just my home computer;
Anything more than script kiddies is unlikely.  Having a useful security
feature that's easy to use is a good idea, IMHO, since it will make a
significant number of computers significantly more secure.  (A lot of people
are not very careful about security, so making it easy to implement things
that are useful for most people is a good thing.)

#define X(x,y) x##y
Peter Cordes ;  e-mail: X(peter@llama.nslug. , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE

To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: