OpenSSH 3.7.1p2

Dagmar d'Surreal dagmar.wants at nospam.com
Tue Sep 23 14:36:18 PDT 2003


The short of it is that you need to upgrade if you have this linked
against PAM, otherwise it's not particularly a priority.  It's also
apparently not a priority if you are actually using privlege separation.

See http://www.openssh.com/txt/sshpam.adv for full details.

I will quote this much from the advisory tho, because I agree with it
wholeheartedly:

        Due to complexity, inconsistencies in the specification and
        differences between vendors' PAM implementations we recommend
        that PAM be left disabled in sshd_config unless there is a need
        for its use. Sites only using public key or simple password
        authentication usually have little need to enable PAM support.

Honestly, if you can get away with letting sshd just look up shadow
passwords without using PAM, do it.  There's very few cases indeed when
one needs something from a PAM module over ssh and those people know who
they are without question (mainly hard token users).
-- 
The email address above is phony because the people making archives of list
traffic publicly available on the web aren't taking measures to protect the
email addresses from filthy spammers.  
              AIM: evilDagmar  Jabber: evilDagmar at jabber.org




More information about the lfs-security mailing list