--===============0776008179==
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha1; protocol="application/pgp-signature"

--=-=-=

Thanks for the security rundown, Jim!

On Fri 2008-04-04 12:55:26 -0400, Jim Knoble wrote:

> If you're attempting to restrict a user to only pubkey
> authentication so that you can use authorized_keys to control what
> the user may do, then you should pay particular attention to the
> *Authentication directives:
>
> PubkeyAuthentication yes
> PasswordAuthentication no
> ChallengeResponseAuthentication no
> HostbasedAuthentication no
> KerberosAuthentication no
> GSSAPIAuthentication no
> UsePAM no


You should also pay attention to KbdInteractiveAuthentication.

Also, if you've locked down the *Authentication directives, there
should be no reason to "UsePAM no". In fact, depending on PAM
configs, setting "UsePAM no" could open the system to undesirable
access. This is because PAM session and account modules can be used
to deny access (e.g. the pam_require module [0]), and these checks
won't be applied if SSH declines to consult the PAM stack.

Happy Hacking,

--dkg

[0] http://www.splitbrain.org/projects/pam_require

--=-=-=
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQIVAwUBR/ZxdMzS7ZTSFznpAQKjEQ//a5re+yOyL0RR+dYn+zh20iOkx2L8eKXw
0bbqSkAsieKaQS3+G0OXypZtLZJVxKYAHr7HKmJayJrA0O3rur NkSIWgACsQZ9j8
zGSOtHUd0VE2fr0shva81eZiPjvBHknTT96ZAJxauWMha51jFK Sw9rIn9iGzkP3O
s6CQn5oNNC12X/jC1DWSmyPyciEs0fs4yCBP3+fbB8gAgZCSfcn3BfLzK+QWPhkz
fRHOxefnekx7EzoflUysUyyoezTa0eP1I/r4JM2U93yXOsvoXGsZlKnhA3k/iQyt
p9cLo+WssXMEJI+rCjDkJyfzXy6C+HbmZDAZA0vyzi4iGZlCO8 Lp+YY22YdPqBdD
7XE0KXpyZ4BmovFF/gqPJcQvlgzXHBbl1d3S++oqFAYSDIIHT74Bk9OoIvG3UJXb
B+Q0F/6cyI216yyA7Mv/9e6vhHTIIJtD8oJ/taI0Zht6H55QLSWLx6FURv/EeSQl
KcrrVpVjLxMEotoY10DlTGxW0e8tcVIgmr+2OGee9ixjURxTVt ibUASbYel/JR6z
vzP9RNvN42S7zYOVKeyLGuWQOpXJOuRxJBc9cOMUWLGV/zTBUWlqAokIPwL1eVyP
7zA3cIw++fVweFuccUWCkn+oPWq/w7R8lsfBZSSaFModqnpC2zEp1ifVXBog+1gU
FIiSZee1h4g=
=VEHE
-----END PGP SIGNATURE-----
--=-=-=--

--===============0776008179==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/li...enssh-unix-dev

--===============0776008179==--