Re: UsePAM documentation clarification in sshd_config.

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 19/06/16 23:14, Peter Bisroev wrote:
These configuration changes do result in the expected line from
auth-pam.c in the logs. So if my understanding of this behavior is
correct, would it be beneficial for other users to document that
behavior in sshd_config and the associated man page for option UsePAM?
Maybe remove the bypass of "PermitRootLogin without-password"
statement in order to avoid confusion?

It would also be helpful to mention the specific error line that can
appear in the logs in order to explain to the user that the problem is
not with OpenSSH itself but with the PAM configuration.

Of course if I am missing something and my assumptions are incorrect,
under what circumstances can the behavior describe in sshd_config
manifest itself? Should a sample PAM configuration that can lead to
such behavior be documented?

What are your thoughts?

Hello Peter

Thanks for your analysis. You are probably right in that it is no longer possible, in
which case that comment should be changed.

As for mentioning the specific error message, I would rather change the generated line, ie.

index 451de78..3c410d2 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -766,12 +766,14 @@ sshpam_query(void *ctx, char **name, char **info,
                                **prompts = NULL;
                        }
                        if (type == PAM_SUCCESS) {
-                               if (!sshpam_authctxt->valid ||
-                                   (sshpam_authctxt->pw->pw_uid == 0 &&
- options.permit_root_login != PERMIT_YES))
+                               if (!sshpam_authctxt->valid)
                                        fatal("Internal error: PAM auth "
"succeeded when it should have "
                                            "failed");
+                               if (sshpam_authctxt->pw->pw_uid == 0 &&
+                                   options.permit_root_login != PERMIT_YES)
+                                   fatal("PAM auth succeeded for root "
+ "but PermitRootLogin is not enabled");
                                import_environments(&buffer);
                                *num = 0;
                                **echo_on = 0;



In case someone else wants to misconfigure his system to test this:

/etc/ssh/sshd_config:
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication yes

/etc/pam.d/sshd:
    auth    [default=ignore success=1] pam_succeed_if.so uid != 0
    auth    sufficient pam_permit.so


$ ssh -oPasswordAuthentication=no -oChallengeResponseAuthentication=yes root@localhost

Regards


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux