1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [Mageia-dev] SSH PAM configuration
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20SSH%20PAM%20configuration&In-Reply-To=%3C5028D073.2010105%40kde.org%3E">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="018100.html">
<LINK REL="Next" HREF="018102.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[Mageia-dev] SSH PAM configuration</H1>
<B>Anne Wilson</B>
<A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20SSH%20PAM%20configuration&In-Reply-To=%3C5028D073.2010105%40kde.org%3E"
TITLE="[Mageia-dev] SSH PAM configuration">annew at kde.org
</A><BR>
<I>Mon Aug 13 12:01:23 CEST 2012</I>
<P><UL>
<LI>Previous message: <A HREF="018100.html">[Mageia-dev] SSH PAM configuration
</A></li>
<LI>Next message: <A HREF="018102.html">[Mageia-dev] SSH PAM configuration
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#18101">[ date ]</a>
<a href="thread.html#18101">[ thread ]</a>
<a href="subject.html#18101">[ subject ]</a>
<a href="author.html#18101">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 13/08/12 09:58, Pascal Terjan wrote:
><i> On Mon, Aug 13, 2012 at 9:39 AM, Anne Wilson <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">annew at kde.org</A>>
</I>><i> wrote:
</I>>><i> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
</I>>><i>
</I>>><i> On 13/08/12 08:34, Guillaume Rousse wrote:
</I>>>><i> Le 12/08/2012 21:57, David Walser a écrit :
</I>>>>><i> Johnny A. Solbu wrote:
</I>>>>>><i> On Sunday 12 August 2012 19:28, David Walser wrote:
</I>>>>>>><i> Through the PAM configuration for SSH shipped with the
</I>>>>>>><i> openssh-server package, root login is broken. Here's
</I>>>>>>><i> why. /etc/pam.d/sshd has: auth required pam_listfile.so
</I>>>>>>><i> item=user sense=deny file=/etc/ssh/denyusers
</I>>>>>>><i>
</I>>>>>>><i> The file /etc/ssh/denyusers has "root" in it by default.
</I>>>>>><i>
</I>>>>>><i> I read somewhere some time ago that PermitRootLogin in
</I>>>>>><i> sshd_config is ignored if PAM is used. That may be the
</I>>>>>><i> reason for this.
</I>>>>><i>
</I>>>>><i> Nope, I just tested it and that is not true.
</I>>>><i> There is an explicit comment in the configuration file: #
</I>>>><i> Depending on your PAM configuration, # PAM authentication via
</I>>>><i> ChallengeResponseAuthentication may bypass # the setting of
</I>>>><i> "PermitRootLogin without-password".
</I>>>><i>
</I>>>><i> My understanding is just than some specific PAM configuration
</I>>>><i> would eventually allow root user to authenticate through a
</I>>>><i> password, instead of a key.
</I>>>><i>
</I>>>><i> Regarding your original problem, feel free to commit the
</I>>>><i> relevant modifications.
</I>>><i>
</I>>><i> Why would anyone need root login over ssh? I don't allow it on
</I>>><i> my server and it has never caused me any problems. Su to root
</I>>><i> works perfectly well and avoids the security risk, so I don't
</I>>><i> understand this thread.
</I>><i>
</I>><i> Allowing login as root over ssh with a key can save things when
</I>><i> for some reason non local auth is down, like to fix the connection
</I>><i> to the ldap server (you can also create a local emergency account
</I>><i> for that usage).
</I>
OK, thanks for the answer. Looks like some more reading on this
subject is required :-) Although I do use login over ssh with keys
(as user) I don't use ldap, so I've never come across this.
Anne
- --
Need KDE help? Try
<A HREF="http://userbase.kde.org">http://userbase.kde.org</A> or
<A HREF="http://forum.kde.org">http://forum.kde.org</A>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - <A HREF="http://enigmail.mozdev.org/">http://enigmail.mozdev.org/</A>
iEYEARECAAYFAlAo0GsACgkQj93fyh4cnBfqXACePg37FlvBQ8xkei9+GNXivQdo
IA4AoIppYO9aPb2YGG8aXA16fy86RxNg
=Om7Z
-----END PGP SIGNATURE-----
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="018100.html">[Mageia-dev] SSH PAM configuration
</A></li>
<LI>Next message: <A HREF="018102.html">[Mageia-dev] SSH PAM configuration
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#18101">[ date ]</a>
<a href="thread.html#18101">[ thread ]</a>
<a href="subject.html#18101">[ subject ]</a>
<a href="author.html#18101">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev
mailing list</a><br>
</body></html>
|
