How to disable PAM password authentication, for SSHD, in CentOS 7.4

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Hi all,

For a small project I am collaborating on, I need to disable any possible password-based authentication in PAM, for SSH, so that the only authentication happens through a script called via pam_exec. This is how the sshd pam module looks, after having commented out the "auth substack password-auth" entry

auth required
auth sufficient stdout /bin/
#auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional prepare
account required
account include password-auth
password include password-auth
# close should be the first session rule
session required close
session required
# open should only be followed by sessions to be executed in the user context
session required open env_params
session required
session optional force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional prepare

The contents of password-auth are the defaults:

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required
auth sufficient nullok try_first_pass
auth requisite uid >= 1000 quiet_success
auth required

account required
account sufficient
account sufficient uid < 1000 quiet
account required

password requisite try_first_pass local_users_only retry=3 authtok_type=
password sufficient sha512 shadow nullok try_first_pass use_authtok
password required

session optional revoke
session required
-session optional
session [success=1 default=ignore] service in crond quiet use_uid
session required

So my question is: does anybody know why am I getting a "Broken pipe" error when logging in with this module, and I can see on the server journal a pam_setcred error? How can I achieve my goal?

Thank you very much for your time,
Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux