depontius
Advocate
Joined: 05 May 2004
Posts: 3525
|
 Posted: Thu Nov 02, 2006 6:44 pm Post subject: pam_ssh configuration - optional vs sufficient |
 |
|
In the pam_ssh documentation, they suggest tweaking the necessary /etc/pam.d files:
| Code: | #%PAM-1.0
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_ssh.so
auth sufficient /lib/security/pam_unix.so try_first_pass likeauth nullok
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok md5 shadow use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session sufficient /lib/security/pam_ssh.so
session required /lib/security/pam_unix.so |
I thought that "sufficient" meant that pam processing would stop at that point, if conditions were met, and subsequent statements in that stanza would not be processed. If that's the case, it would seem to me that for authentication and session, assuming pam_ssh were able to unlock a private key with the provided password, then pam_unix would never get tried. By this token, it would seem to me that an unlockable private key would be adequate to get access.
I would think that "optional" would be a better option, so that people without a private key could have access, and pam_unix would always be executed.
On another note, it would sure be nice if pam_ssh also handled "password" and would change the passphrase of your private key for you.
By the way, I'm wanting to use this with a special key to do cross-system rsync on my home systems. I want to backup home directories between 2 systems, both for backup and for poor man's single-system-image. There is a "keyfiles" option to pam_ssh that will let me login-authenticate a special key for backup/rsync, yet leave stronger keys for remote access.
_________________
.sigs waste space and bandwidth |
|
Networking & Security
