On Mandrake Linux 6.2, here is the pam configuration I used for sshd:
[pascal@triton linux]$ ssh hermes cat /etc/pam.d/sshd
#%PAM-1.0
auth required /lib/security/pam_pwdb.so shadow nodelay
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so shadow nullok use_authtok
session required /lib/security/pam_pwdb.so
session required /lib/security/pam_limits.so
In addition, I put a copy of the public keys on the remote host and a
copy of the known_hosts{,2} files from the remote to the local.
[pascal@triton linux]$ /bin/ls ~/.ssh
authorized_keys authorized_keys2 id_dsa id_dsa.pub
identity identity.pub known_hosts known_hosts2
[pascal@triton linux]$ ssh hermes ls -C .ssh
authorized_keys authorized_keys2 known_hosts known_hosts2
And as you can see, I can ssh to the remote host (hermes) without a password.
> Date: Wed, 21 Mar 2001 18:09:14 -0800 (PST)
> From: David Knight French <[EMAIL PROTECTED]>
>
> You don't say what system you are using as the server. If it is Linux or
> Solaris look at PAM. This allows you to use kerberos, ldap, etc. I will say,
> you may have to write your own pam authentication module and make sure ssh was
> compiled with pam support. Then point the pam entries for sshd to your module
> that checks some place other than /etc/passwd.
>
> Not sure what you could do on other systems that don't have pam.
>
> --Dave
>
> >Date: Wed, 21 Mar 2001 17:22:01 -0600
> >From: Kelly Corbin <[EMAIL PROTECTED]>
> >Subject: Re: Authentication without /etc/passwd
> >
> >Thanks for the response.
> >
> >Blue Lang wrote:
> >
> >> On Wed, 21 Mar 2001, Kelly Corbin wrote:
> >>
> >>
> >>> Is it possible to do authentication by some other means other than
> >>> /etc/passwd or system login? I know this sounds weird, but I want to
> >>> allow various logins in ssh, but not give them regular system access.
> >>
> >>
> >> yes. you can use host-based or key-based authentication. i've never heard
> >> of anyone using a different password file or NCSA or anything like that
> >> without hackage.
> >
> >That's exactly what I'm talking about; using a different password file
> >or some other externally controlled mechanism such as a database, etc.
> >
> >
> >>
> >>
> >>> SSH2 makes it possible to run FTP over SSH for secure FTP connections,
> >>> but now that that security hole has been eliminated (clear text
> >>> passwords) in my system I want to make it even more secure. ProFTPD
> >>
> >>
> >> if you're talking about sftp, then, no, it doesn't. i assume you're
> >> actually talking about tunnelled ftp?
> >
> >Yes, tunneled ftp.
> >
> >>
> >>
> >>> This way I could chroot a user to a particular directory in FTP, but
> >>> they wouldn't have a normal system login so they couldn't ssh in like a
> >>> normal system user.
> >>
> >>
> >> you can chroot users w/ssh. check the included docs.
> >
> >Chroot is not enough. I don't even want them to have a shell; too many
> >opportunities for exploits. FTP access to the system only (even then,
> >many FTP servers are riddled with latent security issues). Regular
> >system users can shell in OK, I don't care about them. I want to
> >severely restrict all other users. Specifically, I want my web users to
> >be able to update their sites, but not have any other access to the system.
--
__Pascal_Bourguignon__ Join the (o_ Software patents are endangering
() ASCII ribbon campaign against //\ the computer industry all around
/\ html email and M$ attachments. V_/ the world http://lpf.ai.mit.edu/
1962:DO20I=1.100 2001:my($f)=`fortune`; http://petition.eurolinux.org/
