Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 6 Mar 2000 21:29:46 -0500 (EST)
From:      "Andrew J. Korty" <ajk@iu.edu>
To:        Peter Wemm <peter@netplex.com.au>
Cc:        Adrian Pavlykevych <pam@polynet.lviv.ua>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   Re: cvs commit: src/lib/libpam/modules/pam_ssh Makefile 
Message-ID:  <Pine.BSF.4.21.0003062114560.10020-100000@tempest.waterspout.com>
In-Reply-To: <20000307011635.C845D1CDE@overcee.netplex.com.au>

next in thread | previous in thread | raw e-mail | index | archive | help
> "Andrew J. Korty" wrote:
> > > Make pam_ssh work.  It had an undefined symbol when it was
> > > dlopen()ed.  I'm not quite sure about this, I think it should be
> > > using -lssh_pic since it's being linked into a .so, but nothing
> > > seems to complain ahd it does work.  (well, it works for using
> > > the authorized_keys file, but I have not figured out how to get
> > > it to start a ssh-agent and cache the key for me)
> >   
> > Do you have this line in /etc/pam.conf?
> 
> No, there were no examples.  The thought never occurred to have a go
> at xdm. :-)  I was trying to use 'login'.

The login program doesn't use the PAM session layer, probably
because there is no underlying program running during the session
as there is with XDM, so there would be no way to close the PAM
session.

> > 	xdm session     optional        pam_ssh.so
> > 
> > Btw, we should really put some example lines in the default pam.conf file
> > along the lines of
> > 
> > 	xdm auth        sufficient      pam_skey.so
> > 	xdm auth        requisite       pam_cleartext_pass_ok.so
> > 	xdm auth        sufficient      pam_ssh.so      try_first_pass
> > 	xdm auth        required        pam_unix.so     try_first_pass
> > 	xdm account     required        pam_unix.so
> > 	xdm session     optional        pam_ssh.so
> 
> Definately, but just checking, are these functional lines? I'd hate to
> mess something up.

They work for me. :-)

> BTW; what happens if we list pam_ssh.so and it wasn't compiled as the crypto
> source isn't present?  Will it skip it or cause failures?

The following errors are logged at <user.err>

	unable to dlopen(/usr/lib/pam_ssh.so)
	[dlerror: Cannot open "/usr/lib/pam_ssh.so"]
	adding faulty module: /usr/lib/pam_ssh.so

and then the module is skipped, in this case, falling back to
pam_unix.so for the auth layer.  I think it might fail completely
if pam_ssh were designated as required instead of sufficient (auth)
and optional (session).

I suppose we could comment the pam_ssh lines (like the ones I
submitted back in January, conf/16076) just to be safe.  I'd just
like people to know that it's there for them to use.

-- 
Andrew J. Korty, Lead Security Engineer
Office of the Vice President for Information Technology
Indiana University




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0003062114560.10020-100000>