dagmar.wants at nospam.com
Tue Sep 23 14:36:18 PDT 2003
The short of it is that you need to upgrade if you have this linked
against PAM, otherwise it's not particularly a priority. It's also
apparently not a priority if you are actually using privlege separation.
See http://www.openssh.com/txt/sshpam.adv for full details.
I will quote this much from the advisory tho, because I agree with it
Due to complexity, inconsistencies in the specification and
differences between vendors' PAM implementations we recommend
that PAM be left disabled in sshd_config unless there is a need
for its use. Sites only using public key or simple password
authentication usually have little need to enable PAM support.
Honestly, if you can get away with letting sshd just look up shadow
passwords without using PAM, do it. There's very few cases indeed when
one needs something from a PAM module over ssh and those people know who
they are without question (mainly hard token users).
The email address above is phony because the people making archives of list
traffic publicly available on the web aren't taking measures to protect the
email addresses from filthy spammers.
AIM: evilDagmar Jabber: evilDagmar at jabber.org
More information about the lfs-security