Re: ssh authentication configuration?
Stephen,
On Tue, May 28, 2002 at 05:51:02PM -0700, Stephen Johnson wrote:
> Hello, i'm confused on a couple variables in the sshd_config file, i
> have a client that's using that 'other os' and has an ssh client that he
> likes. however, he wanted me to secure the server as much as possible,
> i've always disabled clear text passwords(PasswordAuthentication no),
> and turn on pam auth (PAMAuthenticationViaKbdInt yes). That's always
> worked fine for me as i'm using debian linux, and i don't actually know
> why i do it other than in the conf file debian adds a comment above
> telling me to do so, so i do. Well, my clients ssh client app doesn't
> seem to be able to handle pam auth, so when i disable clear text passes
> it won't let him in, even though i can get in with his account from my
> ssh client. i guess what i'm asking is, "How much of a security risk is
> using regular auth versus Pam?".
I'll assume you're using openssh version 3.x that's in the
debian/testing distribution.
The password will still be sent in the clear; there is a difference in
the way the server handles it (that is, it palms off to PAM the
responsibility of letting you in) and a difference in the way the
client negotiates (iirc it's nonfunctional if the client doesn't request
keyboard-interactive negotiation).
However, if you use PAM auth, then the login process will also pass
through PAM's session and account elements; if you have defined
any strict login restrictions there, then PasswordAuthentication
will bypass them. This may or may not be an issue for you, but
otherwise, PasswordAuthentication has equivalent security.
Personally I recommend neither and tell everyone to prefer keys
and one-time passwords, but that's another story :)
Joshua
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: