Re: SSH package concerns...
Nathan Dragun wrote: > PasswordAuthentication is set to no by default, as enabling it causes > cleartext password authentication (obviously defeating the point of > encrypting it in the first place). No, it doesn't. It defaults to Off because Debian wants SSH to use PAM for system account authentication, and not do it itself. > And yes UsePAM = yes was set, for clarification. So I'd assume that > meant that PAM authentication was final? Nope, it's dependent on SSH configuration. Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Re: SSH package concerns...
but sshd.conf contains the needed flags to limit the authentication methods doing man sshd_config saids something like : UsePAM = yes PasswordAuthentication = no might do the trick PasswordAuthentication is set to no by default, as enabling it causes cleartext password authentication (obviously defeating the point of encrypting it in the first place). And yes UsePAM = yes was set, for clarification. So I'd assume that meant that PAM authentication was final? Nathan Code is poetry. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SSH package concerns...
This one time, at band camp, Ernest jw ter Kuile said: > On Tuesday 10 May 2005 17:46, Adam Skutt wrote: > > Pete Harlan wrote: > > > It would be nice if there were a way to have the pam module indicate, > > > "this failed, and that's final", as distinct from, "this failed so try > > > something else". > > > > There is. Mark the module "requisite", and a failure from it will stop > > the stack immediately. > > Only for pam. > > sshd is still free to try something else if pam returns a failure. > > but sshd.conf contains the needed flags to limit the authentication methods > > doing man sshd_config saids something like : > > UsePAM = yes > PasswordAuthentication = no > > might do the trick As well as PubkeyAuthentication ChallengeResponseAuthentication The various Kerberos options, and there used to be a Keyboard one, but I guess that's deprecated now. sshd supports quite a few auth mechanisms. If you want only one to be authoritative, you're going to have to actually disable the others. This is not a security flaw. -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpQAcG4dIgYT.pgp Description: PGP signature
Re: SSH package concerns...
On Tuesday 10 May 2005 17:46, Adam Skutt wrote: > Pete Harlan wrote: > > It would be nice if there were a way to have the pam module indicate, > > "this failed, and that's final", as distinct from, "this failed so try > > something else". > > There is. Mark the module "requisite", and a failure from it will stop > the stack immediately. Only for pam. sshd is still free to try something else if pam returns a failure. but sshd.conf contains the needed flags to limit the authentication methods doing man sshd_config saids something like : UsePAM = yes PasswordAuthentication = no might do the trick > > Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SSH package concerns...
Pete Harlan wrote: > It would be nice if there were a way to have the pam module indicate, > "this failed, and that's final", as distinct from, "this failed so try > something else". There is. Mark the module "requisite", and a failure from it will stop the stack immediately. Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SSH package concerns...
Pete Harlan wrote: > On Mon, May 09, 2005 at 10:16:24PM -0400, Adam Skutt wrote: > > He didn't say there wasn't another way to do it, he said there was a > security hole. Hence I said, don't use it. There is another way to do what he wants (more or less) that doesn't have this security hole assuming the real issue wasn't misconfiguration. Seeing as he wasn't apparently aware of the sshd configuration, I pointed it out to him, seeing as it does exactly what he wants. Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SSH package concerns...
On Tue, May 10, 2005 at 11:19:15AM -0400, Lennart Sorensen wrote: > On Tue, May 10, 2005 at 10:09:59AM -0500, Pete Harlan wrote: > > On Mon, May 09, 2005 at 10:16:24PM -0400, Adam Skutt wrote: > > > Nathan Dragun wrote: > > > > While setting up PAM in conjunction with SSH I included the following > > > > line to deny access unless found in the following file: > > > > > > > > authrequiredpam_listfile.so sense=allow onerr=fail item=user > > > > file=/etc/sshloginusers > > > > > > > > Which works, sort of. > > > Don't use it. sshd(8) lets you deny and allow users via > > > /etc/ssh/sshd_config. > > > > > > Reading the daemon documentation before doing something like this is > > > always good idea. > > > > He didn't say there wasn't another way to do it, he said there was a > > security hole. > > I believe SSH supports multiple types of authentication. If pam fails, > it will use the next configured one. It's a feature of ssh. Thanks, that is helpful. > It isn't as if pam can disable ssh key logins either. Is that a > security hole? It would be nice if there were a way to have the pam module indicate, "this failed, and that's final", as distinct from, "this failed so try something else". > It still requires a valid account and password to login. True, but I imagine that if someone is using this feature then they have some accounts they trust less than others. There are various ways to go about restricting logins (including sshd's AllowUsers), but the pam method seemed reasonable to me. Particularly because with PAM you could use the same user list for any number of services, not just sshd. (And I don't understand why it would work intermittently, but that's getting far afield.) --Pete -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SSH package concerns...
On Tue, May 10, 2005 at 10:09:59AM -0500, Pete Harlan wrote: > On Mon, May 09, 2005 at 10:16:24PM -0400, Adam Skutt wrote: > > Nathan Dragun wrote: > > > While setting up PAM in conjunction with SSH I included the following > > > line to deny access unless found in the following file: > > > > > > authrequiredpam_listfile.so sense=allow onerr=fail item=user > > > file=/etc/sshloginusers > > > > > > Which works, sort of. > > Don't use it. sshd(8) lets you deny and allow users via > > /etc/ssh/sshd_config. > > > > Reading the daemon documentation before doing something like this is > > always good idea. > > He didn't say there wasn't another way to do it, he said there was a > security hole. I believe SSH supports multiple types of authentication. If pam fails, it will use the next configured one. It's a feature of ssh. It isn't as if pam can disable ssh key logins either. Is that a security hole? Misconfiguring sshd doesn't mean it is insecure. It still requires a valid account and password to login. Len Sorensen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SSH package concerns...
On Mon, May 09, 2005 at 10:16:24PM -0400, Adam Skutt wrote: > Nathan Dragun wrote: > > While setting up PAM in conjunction with SSH I included the following > > line to deny access unless found in the following file: > > > > authrequiredpam_listfile.so sense=allow onerr=fail item=user > > file=/etc/sshloginusers > > > > Which works, sort of. > Don't use it. sshd(8) lets you deny and allow users via > /etc/ssh/sshd_config. > > Reading the daemon documentation before doing something like this is > always good idea. He didn't say there wasn't another way to do it, he said there was a security hole. --Pete -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SSH package concerns...
Nathan Dragun wrote: > While setting up PAM in conjunction with SSH I included the following > line to deny access unless found in the following file: > > authrequiredpam_listfile.so sense=allow onerr=fail item=user > file=/etc/sshloginusers > > Which works, sort of. Don't use it. sshd(8) lets you deny and allow users via /etc/ssh/sshd_config. Reading the daemon documentation before doing something like this is always good idea. Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SSH package concerns...
This one time, at band camp, Nathan Dragun said: > While setting up PAM in conjunction with SSH I included the following > line to deny access unless found in the following file: > > authrequiredpam_listfile.so sense=allow onerr=fail item=user > file=/etc/sshloginusers > > Which works, sort of. > ...Lets say for examples sake the user "bob" is trying to get in, but is > not listed in this file. Ie: not authorized. If I try to connect via > the windows program PuTTY, the first attempt fails, naturally, but if I > re-type the password when prompted it will let me in!!! Not good. I > tested this several different ways and found that if I try and go from > linux box to linux box after about 4 attempts it will let me in. > > SSH package version: OpenSSH_3.8.1p1 Debian-8.sarge.4 > in conjunction with: OpenSSL 0.9.7e 25 Oct 2004 > > Now I was doing some research into this, figuring I configured something > wrong or what not early on when I first noticed this authentication > problem existed and noticed that there have been some huge changes from > the 3.8.1p1 release back in October 2004 (Ironically if I read that > right 4.0 was just released today). Changelog: > ftp://ftp.ca.openbsd.org/pub/OpenBSD/OpenSSH/portable/ChangeLog > > But, why on earth is this package so out of date?? Insight into this > would be greatly appreciated. What you are experiencing sounds like a configuration problem to me. You presumably have multiple auth mechanisms listed besides UsePam, and eventually one succeeds, although the PAM one failed. -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpRTwXLPWmrX.pgp Description: PGP signature