Bug#250369: marked as done (ssh: PasswordAuthentication no should result in UsePAM No on update)
Your message dated Sat, 16 Oct 2004 21:02:33 -0700
with message-id <20041017040228.GB3928@mauritius.dodds.net>
and subject line ssh: PasswordAuthentication no should result in UsePAM no on update
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 22 May 2004 13:59:54 +0000
>From mh+debian-bugs@zugschlus.de Sat May 22 06:59:54 2004
Return-path: <mh+debian-bugs@zugschlus.de>
Received: from de46d.ipsec0.torres.ka0.zugschlus.de (torres.ka0.zugschlus.de) [212.126.222.70] (Debian-exim)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1BRX2Y-0002Sg-00; Sat, 22 May 2004 06:59:54 -0700
Received: from lefler.int.ka0.zugschlus.de ([192.168.130.38]:32801 helo=darren.int.ka0.zugschlus.de)
by torres.ka0.zugschlus.de with esmtp (Exim 4.34 (Debian package 4.34-0+1zg1))
id 1BRX2X-0001pG-50; Sat, 22 May 2004 15:59:53 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Marc Haber <mh+debian-bugs@zugschlus.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ssh: PasswordAuthentication no should result in UsePAM No on update
Bcc: Marc Haber <mh+debian-bugs@zugschlus.de>
X-Mailer: reportbug 2.60
Date: Sat, 22 May 2004 15:59:53 +0200
Message-ID: <E1BRX2X-0001pG-50@torres.ka0.zugschlus.de>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-7.0 required=4.0 tests=BAYES_00,DATING,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Package: ssh
Version: 1:3.8.1p1-3
Severity: normal
Hi,
my woody systems routinely run with PasswordAuthenticatio No, so that
only ssh keys can be used to log in.
When updating one box to sid for testing purposes, /etc/ssh/ssd_config
was augmented with "UsePam yes", allowing users to log in using their
password. This went unnoticed, unwarned and might introduce a security
risk.
Please consider setting "UsePam no" on systems that have "Password
Authentication No" set on update.
Greetings
Marc
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.26-zgserver
Locale: LANG=C, LC_CTYPE=C
Versions of packages ssh depends on:
ii adduser 3.53 Add and remove users and groups
ii debconf 1.4.25 Debian configuration management sy
ii dpkg 1.10.21 Package maintenance system for Deb
ii libc6 2.3.2.ds1-12 GNU C Library: Shared libraries an
ii libpam-modules 0.76-21 Pluggable Authentication Modules f
ii libpam-runtime 0.76-21 Runtime support for the PAM librar
ii libpam0g 0.76-21 Pluggable Authentication Modules l
ii libssl0.9.7 0.9.7d-2 SSL shared libraries
ii libwrap0 7.6.dbs-3 Wietse Venema's TCP wrappers libra
ii zlib1g 1:1.2.1.1-3 compression library - runtime
-- debconf information excluded
---------------------------------------
Received: (at 250369-done) by bugs.debian.org; 17 Oct 2004 04:02:35 +0000
>From vorlon@debian.org Sat Oct 16 21:02:35 2004
Return-path: <vorlon@debian.org>
Received: from dsl093-039-086.pdx1.dsl.speakeasy.net (localhost.localdomain) [66.93.39.86]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CJ2Fe-0003Yb-00; Sat, 16 Oct 2004 21:02:34 -0700
Received: by localhost.localdomain (Postfix, from userid 1000)
id E1B41171DB0; Sat, 16 Oct 2004 21:02:33 -0700 (PDT)
Date: Sat, 16 Oct 2004 21:02:33 -0700
From: Steve Langasek <vorlon@debian.org>
To: 250369-done@bugs.debian.org
Subject: Re: ssh: PasswordAuthentication no should result in UsePAM no on update
Message-ID: <20041017040228.GB3928@mauritius.dodds.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="+g7M9IMkV8truYOl"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040722i
Delivered-To: 250369-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
--+g7M9IMkV8truYOl
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
The maintainer's package which purports to address this bug has reached
testing, therefore I believe this bug can be closed.
Thanks,
--=20
Steve Langasek
postmodern programmer
--+g7M9IMkV8truYOl
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBce7UKN6ufymYLloRAkacAKClDJxE0VtznF6Pi4IS/AQDVkEGKQCgy3y5
kIt+TzSXAWN0invQ89zitZY=
=NHPd
-----END PGP SIGNATURE-----
--+g7M9IMkV8truYOl--
Reply to: