That is a very fair point! If they're willing to look at it before deciding whether it is reasonable effort to maintain, I'm happy to put up a pull request. This thread is mostly asking whether the feature would be welcome at all, so I look forward to hearing from the maintainers on that. ~Henry On Thu, Jun 27, 2024 at 3:02 PM Peter Moody <mindrot@xxxxxxxx> wrote: > it's not just adding a line at runtime. it's the openssh maintainers > maintaining an odd codepath and testing it at each release and > answering questions about the configuration, etc. > > On Thu, Jun 27, 2024 at 3:00 PM Henry Qin <hq6@xxxxxxxxxxxxxxx> wrote: > > > > I would like to understand your opinion a little more deeply. > > > > Are you suggesting that it's easier to (prepare the container and add a > line at runtime) compared to (add a line to an sshd config at runtime)? The > latter scenario would be the case if the patch is merged. > > > > Or did you mean that it's easier to prepare the container than to > implement a correct patch into sshd to enable the option in the first place? > > > > If the patch is merged, then nobody has to prepare any containers a > priori to enable this functionality. They just need to install sshd and > create a config file whenever they need it, no root required. > > > > If the patch isn't merged, then anyone who wants to use this > functionality has to prepare a container (unless they have root at > runtime). They would then additionally have to create a config. > > > > ~Henry > > > > On Thu, Jun 27, 2024 at 2:49 PM Peter Moody <mindrot@xxxxxxxx> wrote: > >> > >> i'm not a maintainer, but my personal opinion is that it's probably > >> easier to prepare a container with this pam configuration > >> > >> On Thu, Jun 27, 2024 at 2:26 PM Henry Qin <hq6@xxxxxxxxxxxxxxx> wrote: > >> > > >> > Thanks for the pointer! > >> > I played around with PamServiceName set to 'sshd_disable_auth' and > got it working with the minimum contents below in the file > /etc/pam.d/sshd_disable_auth. > >> > > >> > auth required pam_permit.so > >> > account required pam_permit.so > >> > session required pam_permit.so > >> > > >> > Thus, this does indeed enable disabling authentication. > >> > > >> > Unfortunately, as far as I can tell, only root can create files in > /etc/pam.d in most default system configurations. > >> > Moreover, it is somewhat common to disallow root in an actual > deployed environment. > >> > > >> > That means that this approach is infeasible when running sshd as an > ordinary user, both generally and in deployed environments, unless the > container or deployed VM already has a pam configuration file such as > /etc/pam.d/sshd_disable_auth deployed with it. > >> > > >> > Thus, I'm still interested in your opinions on the proposed patch, > which would grant more flexibility to ordinary users, and allow ad hoc > usage in deployed scenarios without having to prepare a container with a > bespoke pam configuration file. > >> > > >> > ~Henry > >> > > >> > On Thu, Jun 27, 2024 at 10:58 AM Peter Moody <mindrot@xxxxxxxx> > wrote: > >> >> > >> >> see pam_permit(8) > >> >> > >> >> > >> >> On Thu, Jun 27, 2024 at 10:37 AM Henry Qin <hq6@xxxxxxxxxxxxxxx> > wrote: > >> >> > > >> >> > When I looked at `man pam_unix`, I did not see any obvious > options that > >> >> > would > >> >> > cause ssh to authenticate without prompting for a password at all, > short of > >> >> > setting an empty password which is similar to PermitEmptyPasswords > option. > >> >> > > >> >> > However, I am not very familiar with the internals of PAM, so > pointers to > >> >> > documentation would be greatly appreciated. > >> >> > > >> >> > Also, I think adding a single line to sshd_config is simpler for > most users > >> >> > to > >> >> > do correctly than configuring an alternate PAM stack without > breaking their > >> >> > primary sshd setup, which is why I think the patch may still be > useful. > >> >> > > >> >> > On Thu, Jun 27, 2024 at 7:57 AM Carson Gaspar <carson@xxxxxxxxxx> > wrote: > >> >> > > >> >> > > On 6/26/2024 9:34 PM, Henry Qin wrote: > >> >> > > > Hi folks, > >> >> > > > > >> >> > > > I've recently started to work on a patch for openssh that > introduces a > >> >> > > new > >> >> > > > option to disable authentication. > >> >> > > > I'd like to explain why I think this might be generally > useful, and > >> >> > > solicit > >> >> > > > opinions on whether such a patch would be acceptable to the > maintainers > >> >> > > as > >> >> > > > a pull request. > >> >> > > > >> >> > > Why not just use a different PAM stack? The new release allows > >> >> > > specifying the stack name. This should do what you want with no > code > >> >> > > changes using Password / KbdInteractive AuthN. > >> >> > > > >> >> > > -- > >> >> > > > >> >> > > Carson > >> >> > > > >> >> > > _______________________________________________ > >> >> > > openssh-unix-dev mailing list > >> >> > > openssh-unix-dev@xxxxxxxxxxx > >> >> > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > >> >> > > > >> >> > _______________________________________________ > >> >> > openssh-unix-dev mailing list > >> >> > openssh-unix-dev@xxxxxxxxxxx > >> >> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
