freebsd security - Jun 2004 - 4.x, PAM, password facility

Hi,

I've been playing around with pam_mysql, and have it working for
interactive logins (backed by /etc/passwd entries for uid/gid w/*'d
password field) and it works well so far.

Looking at the source to the module, it does support password changing.
So I put in the following entry in pam.conf:

sshd    password required       pam_mysql.so user=root db=pam table=users
crypt=1

However, it doesn't seem to hit the module at all for password changes.  I
also noticed the default line is like so:

sshd   password required       pam_permit.so

I would have expected a "pam_unix.so" there instead.  Is the password
facility implemented in 4.x?

And since I know there's someone lurking here that knows this, is there
any way to have OpenSSH deny a login when a user has key-based auth setup
on their account?  I never found a good way to take care of that; changing
the shell, etc. is a bit awkward.

Thanks,

Charles

--
Charles Sprickman
spork@inch.com

On Fri, Jun 18, 2004 at 04:26:19PM -0400, Charles Sprickman wrote:
[snip]
> And since I know there's someone lurking here that knows this, is there
> any way to have OpenSSH deny a login when a user has key-based auth setup
> on their account?  I never found a good way to take care of that; changing
> the shell, etc. is a bit awkward.
The sshd_config(5) manual page for OpenSSH in both -STABLE and -CURRENT
mentions Allow/DenyUsers/Groups.  I'm not sure how long this has been
around, though - I seem to remember a time when only ssh.com's sshd
supported this.

G'luck,
Peter

-- 
Peter Pentchev	roam@ringlet.net    roam@sbnd.net    roam@FreeBSD.org
PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
If I had finished this sentence,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-security/attachments/20040621/85ce45b9/attachment.bin

Charles Sprickman <spork@inch.com> writes:
> I would have expected a "pam_unix.so" there instead.  Is the
password
> facility implemented in 4.x?
no.

DES
-- 
Dag-Erling Sm?rgrav - des@des.no