Date: Mon, 30 Sep 2002 12:19:21 +0100 From: "Jamie Heckford" <jamie@jamiesdomain.org.uk> To: "Archie Cobbs" <archie@dellroad.org>, <freebsd-stable@FreeBSD.ORG> Subject: Re: sshd_config vs. PAM Message-ID: <002e01c26873$3d717a50$3264a8c0@BONG> References: <200209272135.g8RLZ3We005877@arch20m.dellroad.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I would very much like to see ssh completely detached from PAM, and have the PAM ties as an option you have to enable as opposed to it being the default. ----- Original Message ----- From: "Archie Cobbs" <archie@dellroad.org> To: <freebsd-stable@FreeBSD.ORG> Sent: Friday, September 27, 2002 10:35 PM Subject: sshd_config vs. PAM > Yow! I was surprised to notice that setting these parameters: > > PasswordAuthentication no > PermitRootLogin without-password > > in /etc/ssh/sshd_config have absolutely NO effect! > > This is because now /etc/pam.conf seems to control everything (?) > > This seems to violate POLA in a very dangerous way. Nor is this > documented anywhere in the ssh man pages... in fact, they lie and > tell you that these options increase security. > > I recommend that we either detach sshd from PAM, or else stop > documenting and pretending that /etc/ssh/sshd_config actually > controls this stuff. > > -Archie > > __________________________________________________________________________ > Archie Cobbs * Packet Design * http://www.packetdesign.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > -- ____________________________________________________ Message scanned for viruses and dangerous content by <http://www.newnet.co.uk/av/>; and believed to be clean To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002e01c26873$3d717a50$3264a8c0>