[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PAM experience (and more)



abel@bfr.co.il (Alexander L. Belikoff) wrote:
|Well, I'm running RH 4.1 + all security fixes and I played with PAM
|recently. Namely, I disabled ~/.rhosts support for rsh/rlogin by

Anyone with experience on Debian?  It has PAM packages but I suspect that only the next release will be fully PAMified.

|specifying 'no_rhosts' option in /etc/pam.conf:
|
|rlogin  auth       sufficient   /lib/security/pam_rhosts_auth.so  no_rhosts
|
|rsh     auth       required     /lib/security/pam_rhosts_auth.so  no_rhosts de
|bug

What about using the newer /etc/pam.d/ configuration style?

|Also, I tried to figure out the reason for the following [buggy?] rsh

As far as I remember, it isn't buggy behaviour - rsh doesn't know to
ask for a password.  When you run it without a command then it's
simply an alias for rlogin.

|behaviour:
|
|If I have some host in my /etc/hosts.allow BUT NOT in
|/etc/hosts.equiv, then I can rsh to it with supplying a password:
|
|$ rsh remote
|Password:
|
|However if I do 'rsh remote SOME_COMMAND', it says 'Permission denied'
|
|$ rsh remote date
|Permission denied.
|
|BTW, ssh doesn't have such bug.

ssh is smarter in that respect.

|I tried to enable more PAM modules for rsh (pam_unix_auth and
|pam_unix_passwd) and at some moment I did manage to make rsh to prompt
|me for password. But it was completely screwed up:
|
|$ rsh remote date
|assword: MY_PASSWORD             <----- VISIBLE!!!
|^
||--------------------- note the absence of 'P'
|
|
|... which obviously has to do with streams' redirections rsh does.

Probably the PAM passwd module runs on the remote machine, and not
through a pty, so the serial line controls are not relevant.  You
should somehow teach the local rsh to ask for the password (if
possible at all?).

|Anybody has any slightest idea on how to fix or at least who to
|report?

The mailing list I know of is pam-list@redhat.com - it's about PAM in
general, not just for RH.

My main entry point for PAM on the web is:

http://parc.power.net/morgan/Linux-PAM/index.html

Hope this helps,

--Amos

--Amos Shapira                    | "Of course Australia was marked for
133 Shlomo Ben-Yosef st.          |  glory, for its people had been chosen
Jerusalem 93 805                  |  by the finest judges in England."
ISRAEL        amos@gezernet.co.il |                     -- Anonymous


Follow-Ups: References: