From owner-freebsd-stable  Fri Sep 27 14:45: 6 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 6F71C37B401; Fri, 27 Sep 2002 14:45:05 -0700 (PDT)
Received: from InterJet.dellroad.org (adsl-63-194-81-26.dsl.snfc21.pacbell.net [63.194.81.26])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id DBFC143E6E; Fri, 27 Sep 2002 14:45:04 -0700 (PDT)
	(envelope-from archie@dellroad.org)
Received: from arch20m.dellroad.org (arch20m.dellroad.org [10.1.1.20])
	by InterJet.dellroad.org (8.9.1a/8.9.1) with ESMTP id OAA10634;
	Fri, 27 Sep 2002 14:36:28 -0700 (PDT)
Received: from arch20m.dellroad.org (localhost [127.0.0.1])
	by arch20m.dellroad.org (8.12.6/8.12.6) with ESMTP id g8RLZ3rf005878;
	Fri, 27 Sep 2002 14:35:03 -0700 (PDT)
	(envelope-from archie@arch20m.dellroad.org)
Received: (from archie@localhost)
	by arch20m.dellroad.org (8.12.6/8.12.6/Submit) id g8RLZ3We005877;
	Fri, 27 Sep 2002 14:35:03 -0700 (PDT)
From: Archie Cobbs <archie@dellroad.org>
Message-Id: <200209272135.g8RLZ3We005877@arch20m.dellroad.org>
Subject: sshd_config vs. PAM
To: freebsd-stable@freebsd.org
Date: Fri, 27 Sep 2002 14:35:03 -0700 (PDT)
X-Mailer: ELM [version 2.4ME+ PL88 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

Yow! I was surprised to notice that setting these parameters:

   PasswordAuthentication no
   PermitRootLogin without-password

in /etc/ssh/sshd_config have absolutely NO effect!

This is because now /etc/pam.conf seems to control everything (?)

This seems to violate POLA in a very dangerous way.  Nor is this
documented anywhere in the ssh man pages... in fact, they lie and
tell you that these options increase security.

I recommend that we either detach sshd from PAM, or else stop
documenting and pretending that /etc/ssh/sshd_config actually
controls this stuff.

-Archie

__________________________________________________________________________
Archie Cobbs     *     Packet Design     *     http://www.packetdesign.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message