Subject: Re: pam, ssh, and pam_ssh
To: Christos Zoulas <christos@zoulas.com>
From: maximum entropy <entropy@entropy.homeip.net>
List: current-users
Date: 03/14/2005 23:53:30
Christos Zoulas wrote:
> On Mar 14, 3:51pm, entropy@entropy.homeip.net (maximum entropy) wrote:
> -- Subject: Re: pam, ssh, and pam_ssh
>
> | # ssh -l entropy localhost
> | Connection closed by 127.0.0.1
> |
> | Can you explain to me why you think this has anything to do with
> | authorized_keys? I see no mention of authorized_keys in the pam_ssh
> | manpage. It seems to me that even if you accomplish what I think you're
> | trying to accomplish, then you're changing pam_ssh to do something
> | fundamentally different from what it's documented to do.
> |
> | Why are you so opposed to just disabling pam_ssh by default? How is it
> | in anyone's best interest for this to be the default behavior? Several
> | of us have already been burned by this. If I got this behavior from a
> | release I'd be furious right now...
>
> We can disable pam_ssh; I am not opposed to it at all. I am just
> trying to understand how pam_ssh is supposed to work in that framework.
> So if we disable pam_ssh from /etc/pam.d/sshd, do we disable UsePam from
> /etc/ssh/sshd_config? What happens for password authentication then?
I don't think it's necessary to disable UsePam. Having sshd use the PAM
authentication framework is a Good Thing (in my opinion) for the same
reasons PAM is beneficial anywhere else. It's just the specific *new*
authentication method provided by pam_ssh.so that I think should be
disabled by default. With pam_ssh.so disabled, everything will be just
like it was before by default in terms of password and crypto key
authentication in sshd, which should make most of us happy.
--
entropy -- it's not just a good idea, it's the second law.