PAM not so great idea

Oko

Daemon

Reaction score: 772
Messages: 1,620

Some people got annoyed when I pointed out that PAM is not such a great idea and that should have never been brought from Linux just like SSSD. Here is a little discussion which reveals that alleged "OpenSSH bug" might actually not be a bug and why is FreeBSD the most seriously affected.

http://marc.info/?l=openbsd-misc&m=143766047211907&w=2

Screw the OpenBSD crew (myself included) and our stupid ypldap daemon if you don't like us but do one good thing for your OS and take the clue from HP UNIX and alike how those things are done right.
 

RichardET

Member


Messages: 31

So in the sshd_config you need to uncomment this line and change the setting to no?
Code:
# Change to no to disable PAM authentication
#ChallengeResponseAuthentication yes
What the about the default of max tries = 6? That should be lowered to 3?
 

kpa

Beastie's Twin

Reaction score: 1,810
Messages: 6,318

PAM is certainly a great idea but the implementation is less than what is desired because it forces you to load untrusted code to your reviewed and verified application's address space *). I can't believe why no one has come up with something similar but using some kind of IPC solution for separating the authentication mechanisms from the application using them.

*) That's what plugins do in general but we are talking about security and authentication here.
 
Top