Displaying 9 results from an estimated 9 matches for "disableauthentication".
2024 Jun 27
1
Proposal to add a DisableAuthentication option to sshd ServerOptions
On 6/26/2024 9:34 PM, Henry Qin wrote:
> Hi folks,
>
> I've recently started to work on a patch for openssh that introduces a new
> option to disable authentication.
> I'd like to explain why I think this might be generally useful, and solicit
> opinions on whether such a patch would be acceptable to the maintainers as
> a pull request.
Why not just use a different
2024 Jun 27
1
Proposal to add a DisableAuthentication option to sshd ServerOptions
When I looked at `man pam_unix`, I did not see any obvious options that
would
cause ssh to authenticate without prompting for a password at all, short of
setting an empty password which is similar to PermitEmptyPasswords option.
However, I am not very familiar with the internals of PAM, so pointers to
documentation would be greatly appreciated.
Also, I think adding a single line to sshd_config
2024 Jun 27
1
Proposal to add a DisableAuthentication option to sshd ServerOptions
On 27.06.24 06:34, Henry Qin wrote:
> *Specific use cases:*
> 1. Combine sshd on an unprivileged port with kubectl port-forward to
> replace kubectl exec for shelling into containers running in a secure
> Kubernetes environment. Kubectl exec does not kill processes on disconnect,
> and does not support remote port forwarding, while ssh does both of these
> things.
> 2. Run an
2024 Jun 27
1
Proposal to add a DisableAuthentication option to sshd ServerOptions
see pam_permit(8)
On Thu, Jun 27, 2024 at 10:37?AM Henry Qin <hq6 at cs.stanford.edu> wrote:
>
> When I looked at `man pam_unix`, I did not see any obvious options that
> would
> cause ssh to authenticate without prompting for a password at all, short of
> setting an empty password which is similar to PermitEmptyPasswords option.
>
> However, I am not very familiar
2024 Jun 27
2
Proposal to add a DisableAuthentication option to sshd ServerOptions
Hi folks,
I've recently started to work on a patch for openssh that introduces a new
option to disable authentication.
I'd like to explain why I think this might be generally useful, and solicit
opinions on whether such a patch would be acceptable to the maintainers as
a pull request.
*Why is this useful?*
Openssh has useful capabilities such as remote and local port-forwarding,
as well
2024 Jun 27
1
Proposal to add a DisableAuthentication option to sshd ServerOptions
Thanks for the pointer!
I played around with PamServiceName set to 'sshd_disable_auth' and got it
working with the minimum contents below in the file
/etc/pam.d/sshd_disable_auth.
auth required pam_permit.so
account required pam_permit.so
session required pam_permit.so
Thus, this does indeed enable disabling authentication.
Unfortunately, as far as I can tell, only root can create files
2024 Jun 27
1
Proposal to add a DisableAuthentication option to sshd ServerOptions
i'm not a maintainer, but my personal opinion is that it's probably
easier to prepare a container with this pam configuration
On Thu, Jun 27, 2024 at 2:26?PM Henry Qin <hq6 at cs.stanford.edu> wrote:
>
> Thanks for the pointer!
> I played around with PamServiceName set to 'sshd_disable_auth' and got it working with the minimum contents below in the file
2024 Jun 27
1
Proposal to add a DisableAuthentication option to sshd ServerOptions
I would like to understand your opinion a little more deeply.
Are you suggesting that it's easier to (prepare the container and add a
line at runtime) compared to (add a line to an sshd config at runtime)? The
latter scenario would be the case if the patch is merged.
Or did you mean that it's easier to prepare the container than to implement
a correct patch into sshd to enable the option
2024 Jun 27
1
Proposal to add a DisableAuthentication option to sshd ServerOptions
it's not just adding a line at runtime. it's the openssh maintainers
maintaining an odd codepath and testing it at each release and
answering questions about the configuration, etc.
On Thu, Jun 27, 2024 at 3:00?PM Henry Qin <hq6 at cs.stanford.edu> wrote:
>
> I would like to understand your opinion a little more deeply.
>
> Are you suggesting that it's easier to