[conspire] ssh problem: disabling "keyboard-interactive"
peter.knaggs at gmail.com
Tue Aug 22 16:03:32 PDT 2006
> Hi Peter,
> Thanks for the suggestion.
> Specifically 'UsePAM no' disallowed used of passwords.
Ahh, thanks for the feedback.
> Now I'll study PAM to see what's up with that.
Here's my fledgling "hints" on PAM so far:
PAM is the Pluggable Authentication Module, invented by Sun.
It's a beautiful concept, but it can be confusing and even intimidating at
The first thing to understand is that PAM is not something like tcpd (tcp
wrappers) or xinetd that encloses and restricts access to some service.
An application needs to be "PAM-aware". That is, it needs to have been written
and compiled specifically to use PAM. There are tremendous advantages in doing
so, and most applications with any interest in security will be PAM-aware.
PAM is about security - checking to see whether a service should be used or not.
PAM can do much more than just validate passwords.
Even things like SAMBA can call on PAM for authentication.
The big advantage here is that security is no longer the application's concern.
If PAM says its OK, its OK. That makes things easier for the application, and it
makes things easier for the system administrator.
PAM consults text configuration files to see what security actions to take for
an application, and the administrator can add and subtract new rules at any
PAM is also extensible by means of PAM modules.
There are a tremendous number of available PAM modules that administrators
The configuration files for PAM are found in /etc/pam.d, one file for each
PAM-aware application (plus a special "other" file we'll get to later).
One word of warning: changes to these files take effect instantly.
You aren't going to get logged out if you make a mistake here, but if you do
make a mistake and blithely log out, you may not be able to log back in,
so test changes before you exit.
We're going to use a very simple example to get started here.
We'll use PAM to add some additional restriction to ssh logins: the time of day
you are allowed to use ssh. To do this, we need a PAM module called
This is usually found in
It uses the configuration file
The above file is pretty well commented, so just add the following line
to restrict ssh logins:
This tells PAM that sshd cannot be used between 10:00 PM and 4:00 AM.
Configuring the /etc/security/time.conf file by itself doesn't affect ssh; we
need to add the pam_time.so PAM module to /etc/pam.d/sshd, as follows:
account required pam_time.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_limits.so
session optional pam_console.so
The pam_time.so module comes first, so that it is the very first thing that is
checked. If that module doesn't give sshd a green light, that's the end of it:
That's the meaning of "required": the module has to say that it is happy.
The "account" type is specified here.
The "man Linux-PAM" (or sometimes just "man pam") gives us the following:
account - provide account verification types of service: has the user's
password expired?; is this user permitted access to the requested ser-
auth - authentication: establish user is who they claim to be. Typically
this is via some challenge-response request that the user must satisfy:
if you are who you claim to be please enter your password. Not all
authentications are of this type, there exist hardware based authenti-
cation schemes (such as the use of smart-cards and biometric devices),
with suitable modules, these may be substituted seamlessly for more
standard approaches to authentication - such is the flexibility of
password - this group's responsibility is the task of updating authen-
tication mechanisms. Typically, such services are strongly coupled to
those of the auth group. Some authentication mechanisms lend themselves
well to being updated with such a function. Standard UN*X password-
based access is the obvious example: please enter a replacement pass-
session - this group of tasks cover things that should be done prior to
a service being given and after it is withdrawn. Such tasks include the
maintenance of audit trails and the mounting of the user's home direc-
tory. The session management group is important as it provides both an
opening and closing hook for modules to affect the services available
to a user.
The distinction between "account" and "session" is a little confusing.
Remember, "session" happens AFTER "auth". The older PAM manual said:
auth modules provide the actual authentication, perhaps asking
for and checking a password, and they set "credentials" such
as group membership or kerberos "tickets."
account modules check to make sure that the authentication
is allowed (the account has not expired, the user is allowed
to log in at this time of day, and so on).
password modules are used to set passwords.
session modules are used once a user has been authenticated
to allow them to use their account, perhaps mounting the
user's home directory or making their mailbox available.
What if a PAM aware app doesn't have a file in the /etc/pam.d directory?
In that case, it uses the file "/etc/pam.d/other".
There are many, many useful and clever PAM modules.
More information about the conspire