Henry Qin
2024-Jun-27 21:25 UTC
Proposal to add a DisableAuthentication option to sshd ServerOptions
Thanks for the pointer! I played around with PamServiceName set to 'sshd_disable_auth' and got it working with the minimum contents below in the file /etc/pam.d/sshd_disable_auth. auth required pam_permit.so account required pam_permit.so session required pam_permit.so Thus, this does indeed enable disabling authentication. Unfortunately, as far as I can tell, only root can create files in /etc/pam.d in most default system configurations. Moreover, it is somewhat common to disallow root in an actual deployed environment. That means that this approach is infeasible when running sshd as an ordinary user, both generally and in deployed environments, unless the container or deployed VM already has a pam configuration file such as /etc/pam.d/sshd_disable_auth deployed with it. Thus, I'm still interested in your opinions on the proposed patch, which would grant more flexibility to ordinary users, and allow ad hoc usage in deployed scenarios without having to prepare a container with a bespoke pam configuration file. ~Henry On Thu, Jun 27, 2024 at 10:58?AM Peter Moody <mindrot at hda3.com> wrote:> see pam_permit(8) > > > On Thu, Jun 27, 2024 at 10:37?AM Henry Qin <hq6 at cs.stanford.edu> wrote: > > > > When I looked at `man pam_unix`, I did not see any obvious options that > > would > > cause ssh to authenticate without prompting for a password at all, short > of > > setting an empty password which is similar to PermitEmptyPasswords > option. > > > > However, I am not very familiar with the internals of PAM, so pointers to > > documentation would be greatly appreciated. > > > > Also, I think adding a single line to sshd_config is simpler for most > users > > to > > do correctly than configuring an alternate PAM stack without breaking > their > > primary sshd setup, which is why I think the patch may still be useful. > > > > On Thu, Jun 27, 2024 at 7:57?AM Carson Gaspar <carson at taltos.org> wrote: > > > > > On 6/26/2024 9:34 PM, Henry Qin wrote: > > > > Hi folks, > > > > > > > > I've recently started to work on a patch for openssh that introduces > a > > > new > > > > option to disable authentication. > > > > I'd like to explain why I think this might be generally useful, and > > > solicit > > > > opinions on whether such a patch would be acceptable to the > maintainers > > > as > > > > a pull request. > > > > > > Why not just use a different PAM stack? The new release allows > > > specifying the stack name. This should do what you want with no code > > > changes using Password / KbdInteractive AuthN. > > > > > > -- > > > > > > Carson > > > > > > _______________________________________________ > > > openssh-unix-dev mailing list > > > openssh-unix-dev at mindrot.org > > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
Peter Moody
2024-Jun-27 21:49 UTC
Proposal to add a DisableAuthentication option to sshd ServerOptions
i'm not a maintainer, but my personal opinion is that it's probably easier to prepare a container with this pam configuration On Thu, Jun 27, 2024 at 2:26?PM Henry Qin <hq6 at cs.stanford.edu> wrote:> > Thanks for the pointer! > I played around with PamServiceName set to 'sshd_disable_auth' and got it working with the minimum contents below in the file /etc/pam.d/sshd_disable_auth. > > auth required pam_permit.so > account required pam_permit.so > session required pam_permit.so > > Thus, this does indeed enable disabling authentication. > > Unfortunately, as far as I can tell, only root can create files in /etc/pam.d in most default system configurations. > Moreover, it is somewhat common to disallow root in an actual deployed environment. > > That means that this approach is infeasible when running sshd as an ordinary user, both generally and in deployed environments, unless the container or deployed VM already has a pam configuration file such as /etc/pam.d/sshd_disable_auth deployed with it. > > Thus, I'm still interested in your opinions on the proposed patch, which would grant more flexibility to ordinary users, and allow ad hoc usage in deployed scenarios without having to prepare a container with a bespoke pam configuration file. > > ~Henry > > On Thu, Jun 27, 2024 at 10:58?AM Peter Moody <mindrot at hda3.com> wrote: >> >> see pam_permit(8) >> >> >> On Thu, Jun 27, 2024 at 10:37?AM Henry Qin <hq6 at cs.stanford.edu> wrote: >> > >> > When I looked at `man pam_unix`, I did not see any obvious options that >> > would >> > cause ssh to authenticate without prompting for a password at all, short of >> > setting an empty password which is similar to PermitEmptyPasswords option. >> > >> > However, I am not very familiar with the internals of PAM, so pointers to >> > documentation would be greatly appreciated. >> > >> > Also, I think adding a single line to sshd_config is simpler for most users >> > to >> > do correctly than configuring an alternate PAM stack without breaking their >> > primary sshd setup, which is why I think the patch may still be useful. >> > >> > On Thu, Jun 27, 2024 at 7:57?AM Carson Gaspar <carson at taltos.org> wrote: >> > >> > > On 6/26/2024 9:34 PM, Henry Qin wrote: >> > > > Hi folks, >> > > > >> > > > I've recently started to work on a patch for openssh that introduces a >> > > new >> > > > option to disable authentication. >> > > > I'd like to explain why I think this might be generally useful, and >> > > solicit >> > > > opinions on whether such a patch would be acceptable to the maintainers >> > > as >> > > > a pull request. >> > > >> > > Why not just use a different PAM stack? The new release allows >> > > specifying the stack name. This should do what you want with no code >> > > changes using Password / KbdInteractive AuthN. >> > > >> > > -- >> > > >> > > Carson >> > > >> > > _______________________________________________ >> > > openssh-unix-dev mailing list >> > > openssh-unix-dev at mindrot.org >> > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >> > > >> > _______________________________________________ >> > openssh-unix-dev mailing list >> > openssh-unix-dev at mindrot.org >> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Apparently Analagous Threads
- Proposal to add a DisableAuthentication option to sshd ServerOptions
- Proposal to add a DisableAuthentication option to sshd ServerOptions
- Proposal to add a DisableAuthentication option to sshd ServerOptions
- Proposal to add a DisableAuthentication option to sshd ServerOptions
- Proposal to add a DisableAuthentication option to sshd ServerOptions