Package: libpam-ssh Version: 1.91.0-9 Severity: grave Tags: security Justification: user security hole
Bonjour, I want to use only pam-ssh to login on my comptuter. So I modify the login pam file and comment @include common-auth. Here is a part of my /etc/pam.d/login # Disallows root logins except on tty's listed in /etc/securetty # (Replaces the `CONSOLE' setting from login.defs) auth requisite pam_securetty.so # Disallows other than root logins when /etc/nologin exists # (Replaces the `NOLOGINS_FILE' option from login.defs) auth requisite pam_nologin.so # This module parses /etc/environment (the standard for setting # environ vars) and also allows you to use an extended config # file /etc/security/pam_env.conf. # (Replaces the `ENVIRON_FILE' setting from login.defs) auth required pam_env.so # Standard Un*x authentication. @include pam-ssh-auth [EMAIL PROTECTED] common-auth # This allows certain extra groups to be granted to a user # based on things like time of day, tty, service, and user. # Please uncomment and edit /etc/security/group.conf if you # wish to use this. # (Replaces the `CONSOLE_GROUPS' option in login.defs) # auth optional pam_group.so # Uncomment and edit /etc/security/time.conf if you need to set # time restrainst on logins. # (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs # as well as /etc/porttime) # account requisite pam_time.so # Uncomment and edit /etc/security/access.conf if you need to # set access limits. # (Replaces /etc/login.access file) # account required pam_access.so # Standard Un*x account and session @include common-account @include common-session @include pam-ssh-session With this configuration, I can login with the wrong or null passphrase. If I want to only user pam-ssh-auth, I need to modify /etc/pam.d/pam-ssh-auth and replace sufficient by required. It is very easy to insert a security hole in your system. Salutations, Sylvain -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.12 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15) Versions of packages libpam-ssh depends on: ii libc6 2.3.5-4 GNU C Library: Shared libraries an ii libpam0g 0.76-23 Pluggable Authentication Modules l ii libssl0.9.7 0.9.7g-1 SSL shared libraries Versions of packages libpam-ssh recommends: ii ssh 1:4.1p1-6 Secure shell client and server (tr -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
