[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssh authentication configuration?

On Tue, May 28, 2002 at 05:51:02PM -0700, Stephen Johnson wrote:
> Hello, i'm confused on a couple variables in the sshd_config file, i
> have a client that's using that 'other os' and has an ssh client that he
> likes. however, he wanted me to secure the server as much as possible,
> i've always disabled clear text passwords(PasswordAuthentication no),
> and turn on pam auth (PAMAuthenticationViaKbdInt yes).  That's always
> worked fine for me as i'm using debian linux, and i don't actually know
> why i do it other than in the conf file debian adds a comment above
> telling me to do so, so i do.  Well, my clients ssh client app doesn't
> seem to be able to handle pam auth, so when i disable clear text passes

Both PasswordAuthentication and PAMAuthenticationViaKbdInt go through
PAM [0]. The difference is that PasswordAuthentication obtains a
password and hands that to the auth modules, whereas
PAMAuthenticationViaKbdInt allows modules to interact with the user so
that they can display their own prompts and collect responses.

Note that both send passwords (or other data) as *tunneled* cleartext -
in other words, the string itself is sent, but it's sent over the
encrypted channel.

> it won't let him in, even though i can get in with his account from my
> ssh client.  i guess what i'm asking is, "How much of a security risk is
> using regular auth versus Pam?". 

Unless you've modified your PAM configuration to use some
challenge-response authentication mechanism, and barring any relevant
undiscovered bugs in OpenSSH or PAM, there's no difference in the risks
posed by using SSH password-authentication and SSH keyboard-interactive
authentication, nor reason to turn off PasswordAuthentication but leave
PAMAuthenticationViaKbdInt on.

[0] in the Debian configuration - if configured at build time without
    PAM, PasswordAuthentication will use another mechanism to check

William Aoki     waoki@umnh.utah.edu       /"\  ASCII Ribbon Campaign
B1FB C169 C7A6 238B 280B  <- key change    \ /  No HTML in mail or news!
99AF A093 29AE 0AE1 9734   prev. expired    X
                                           / \

To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: