On Mon, 2004-11-08 at 07:33 +0200, Tzafrir Cohen wrote:
> Hi
>
> Thanks for reporting back.
>
> Two notes:
> > Well, first of all, thanks for those who answered.
> > Now, the answer to my question is going as follows:
> > 1. install openssh3.9p1 (3.6p1 which ships with fedora-core2 doesn't
> > support pam very well)
>
> Could you elaborate on those problems?
>
> > 2. in /etc/ssh/sshd_config set the following options:
> > UsePAM yes # (this option doesn't exist in openssh3.6p1)
>
> Because it's the default?
>
when i wrote "doesn't support pam very well" regarding ver. 3.6p1, what
i actually meant was that the support isn't complete. it seemed to me
(at least at the time, without digging *realy* deep, and soon i'll
explain why) that it just can't authenticate using pam, and that's it.
i thought that way because i configured pam alright and ssh still didn't
use it for the authentication.
ver. 3.9p1 on the contrary just had this amazing option called UsePAM
(defaulted to NO), which just did the trick. turning it on and all the
pam magic started to work :)
now, a few notes from when i became a little smarter and checked
somethings now:
1. ver 3.8p1 (available on a debian sarge of a friend of mine, which i
don't have root for) - the manpage of sshd_config(5) shows that this
ver. supports the UsePAM option.
2. ver. 3.6p2 (available on a mdk10.0stable of another friend of mine,
which i don't have root for neither) - checking the same manpage shows
the following option:
<quote>
PAMAuthenticationViaKbdInt
Specifies whether PAM challenge response authentication is
allowed. This allows the use of most PAM challenge response
authentication modules, but it will allow password
authentication
regardless of whether PasswordAuthentication is enabled.
</quote>
don't know why i thought before that this option is irrelevant (i should
spank my self for that...), but possibly it could have done the job
also.
two problems with it:
a- it's very clear from here that the support of pam here is partial.
(and about that i can put my quote of "doesn't support pam very well")
b- i already upgraded to ver. 3.9p1 on the machines i have root on, so i
can't really check it myself/don't won't to downgrade :-)
3. and for last, just for the good order of things, this is from the
sshd_config(5) manpage of ver. 3.9p1 about UsePAM:
<quote>
UsePAM Enables the Pluggable Authentication Module interface. If set
to
``yes'' this will enable PAM authentication using
ChallengeResponseAuthentication and PAM account and session
mod-
ule processing for all authentication types.
Because PAM challenge-response authentication usually
serves an
equivalent role to password authentication, you should
disable
either PasswordAuthentication or
ChallengeResponseAuthentication.
If UsePAM is enabled, you will not be able to run sshd(8)
as a
non-root user. The default is ``no''.
</quote>
Noam
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
