PAM not so great idea

[Oko]

Some people got annoyed when I pointed out that PAM is not such a great idea and that should have never been brought from Linux just like SSSD. Here is a little discussion which reveals that alleged "OpenSSH bug" might actually not be a bug and why is FreeBSD the most seriously affected.

http://marc.info/?l=openbsd-misc&m=143766047211907&w=2

Screw the OpenBSD crew (myself included) and our stupid ypldap daemon if you don't like us but do one good thing for your OS and take the clue from HP UNIX and alike how those things are done right.

 

[RichardET]

So in the sshd_config you need to uncomment this line and change the setting to no?

# Change to no to disable PAM authentication
#ChallengeResponseAuthentication yes

What the about the default of max tries = 6? That should be lowered to 3?

 

[junovitch@]

What do you mean by "brought from Linux". OpenPAM is an independent implementation that FreeBSD, NetBSD, DragonFlyBSD, and Mac OS all use. See https://en.wikipedia.org/wiki/OpenPAM.

 

[kpa]

PAM is certainly a great idea but the implementation is less than what is desired because it forces you to load untrusted code to your reviewed and verified application's address space *). I can't believe why no one has come up with something similar but using some kind of IPC solution for separating the authentication mechanisms from the application using them.

*) That's what plugins do in general but we are talking about security and authentication here.