Henry Qin
2024-Jun-27 17:32 UTC
Proposal to add a DisableAuthentication option to sshd ServerOptions
When I looked at `man pam_unix`, I did not see any obvious options that would cause ssh to authenticate without prompting for a password at all, short of setting an empty password which is similar to PermitEmptyPasswords option. However, I am not very familiar with the internals of PAM, so pointers to documentation would be greatly appreciated. Also, I think adding a single line to sshd_config is simpler for most users to do correctly than configuring an alternate PAM stack without breaking their primary sshd setup, which is why I think the patch may still be useful. On Thu, Jun 27, 2024 at 7:57?AM Carson Gaspar <carson at taltos.org> wrote:> On 6/26/2024 9:34 PM, Henry Qin wrote: > > Hi folks, > > > > I've recently started to work on a patch for openssh that introduces a > new > > option to disable authentication. > > I'd like to explain why I think this might be generally useful, and > solicit > > opinions on whether such a patch would be acceptable to the maintainers > as > > a pull request. > > Why not just use a different PAM stack? The new release allows > specifying the stack name. This should do what you want with no code > changes using Password / KbdInteractive AuthN. > > -- > > Carson > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
Peter Moody
2024-Jun-27 17:58 UTC
Proposal to add a DisableAuthentication option to sshd ServerOptions
see pam_permit(8) On Thu, Jun 27, 2024 at 10:37?AM Henry Qin <hq6 at cs.stanford.edu> wrote:> > When I looked at `man pam_unix`, I did not see any obvious options that > would > cause ssh to authenticate without prompting for a password at all, short of > setting an empty password which is similar to PermitEmptyPasswords option. > > However, I am not very familiar with the internals of PAM, so pointers to > documentation would be greatly appreciated. > > Also, I think adding a single line to sshd_config is simpler for most users > to > do correctly than configuring an alternate PAM stack without breaking their > primary sshd setup, which is why I think the patch may still be useful. > > On Thu, Jun 27, 2024 at 7:57?AM Carson Gaspar <carson at taltos.org> wrote: > > > On 6/26/2024 9:34 PM, Henry Qin wrote: > > > Hi folks, > > > > > > I've recently started to work on a patch for openssh that introduces a > > new > > > option to disable authentication. > > > I'd like to explain why I think this might be generally useful, and > > solicit > > > opinions on whether such a patch would be acceptable to the maintainers > > as > > > a pull request. > > > > Why not just use a different PAM stack? The new release allows > > specifying the stack name. This should do what you want with no code > > changes using Password / KbdInteractive AuthN. > > > > -- > > > > Carson > > > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Apparently Analagous Threads
- Proposal to add a DisableAuthentication option to sshd ServerOptions
- Proposal to add a DisableAuthentication option to sshd ServerOptions
- Proposal to add a DisableAuthentication option to sshd ServerOptions
- Proposal to add a DisableAuthentication option to sshd ServerOptions
- Proposal to add a DisableAuthentication option to sshd ServerOptions