sshd: Disable PAM if you do not want to use passwords

To: 109846@bugs.debian.org
Cc: jbouse@debian.org, debian-security@lists.debian.org
Subject: sshd: Disable PAM if you do not want to use passwords
From: Ludovic Rousseau <ludovic.rousseau@free.fr>
Date: Sun, 24 Apr 2005 13:01:54 +0200
Message-id: <[🔎] 20050424110154.GA1030@acer.maison.bogus>
Mail-followup-to: 109846@bugs.debian.org, jbouse@debian.org, debian-security@lists.debian.org

Hello,

Regarding bug #109846 I also have the problem that if I use
  PasswordAuthentication no
in /etc/ssh/sshd_config, it is not enough to reject password
authentication. I _also_ have to disable PAM.

I discovered I had a /etc/ssh/sshd_config.dpkg-old dated 2001-09-13
This file do not have the line
  UsePAM yes

If I use
  PasswordAuthentication no
  UsePAM no
then passwords are effectively disabled.

I think it is clearer/easier/simpler to modify two lines in
/etc/ssh/sshd_config than modifying one line in /etc/ssh/sshd_config and
one line in /etc/pam.d/ssh


I think it may be a critical security problem for upgrades from woody
since the UsePAM line is not present in /etc/ssh/sshd_config on a woody
system. It is not clear that if you add "UsePAM yes" (during the
upgrade) it will allow password authentication EVEN IF you have
PasswordAuthentication no. So this should be clearly documented.

Regards,

-- 
 Dr. Ludovic Rousseau                        Ludovic.Rousseau@free.fr
 -- Normaliser Unix c'est comme pasteuriser le camembert, L.R. --

Reply to:

Follow-Ups:
- Re: sshd: Disable PAM if you do not want to use passwords
  - From: Luis M <lemsx1@gmail.com>

Prev by Date: Re: [SECURITY] [DSA 713-1] New junkbuster packages fix several vulnerabilities
Next by Date: Re: sshd: Disable PAM if you do not want to use passwords
Previous by thread: Re: [SECURITY] [DSA 713-1] New junkbuster packages fix several vulnerabilities
Next by thread: Re: sshd: Disable PAM if you do not want to use passwords
Index(es):
- Date
- Thread