[conspire] ssh problem: disabling "keyboard-interactive"

Peter Knaggs peter.knaggs at gmail.com
Tue Aug 22 16:03:32 PDT 2006 

> Hi Peter,
> Thanks for the suggestion.
> Specifically 'UsePAM no' disallowed used of passwords.

Ahh, thanks for the feedback.

> Now I'll study PAM to see what's up with that.

Here's my fledgling "hints" on PAM so far:

Understanding PAM
~~~~~~~~~~~~~~~~~
PAM is the Pluggable Authentication Module, invented by Sun.
It's a beautiful concept, but it can be confusing and even intimidating at
first.

The first thing to understand is that PAM is not something like tcpd (tcp
wrappers) or xinetd that encloses and restricts access to some service.
An application needs to be "PAM-aware". That is, it needs to have been written
and compiled specifically to use PAM. There are tremendous advantages in doing
so, and most applications with any interest in security will be PAM-aware.

PAM is about security - checking to see whether a service should be used or not.
PAM can do much more than just validate passwords.
Even things like SAMBA can call on PAM for authentication.

The big advantage here is that security is no longer the application's concern.
If PAM says its OK, its OK. That makes things easier for the application, and it
makes things easier for the system administrator.

PAM consults text configuration files to see what security actions to take for
an application, and the administrator can add and subtract new rules at any
time.

PAM is also extensible by means of PAM modules.
There are a tremendous number of available PAM modules that administrators
can use.

Configuration Files
~~~~~~~~~~~~~~~~~~~
The configuration files for PAM are found in /etc/pam.d, one file for each
PAM-aware application (plus a special "other" file we'll get to later).
One word of warning: changes to these files take effect instantly.
You aren't going to get logged out if you make a mistake here, but if you do
make a mistake and blithely log out, you may not be able to log back in,
so test changes before you exit.

We're going to use a very simple example to get started here.
We'll use PAM to add some additional restriction to ssh logins: the time of day
you are allowed to use ssh. To do this, we need a PAM module called
  pam_time.so
This is usually found in
  /lib/security/pam_time.so
It uses the configuration file
  /etc/security/time.conf
The above file is pretty well commented, so just add the following line
to restrict ssh logins:

sshd;*;*;!Al2200-0400

This tells PAM that sshd cannot be used between 10:00 PM and 4:00 AM.
Configuring the /etc/security/time.conf file by itself doesn't affect ssh; we
need to add the pam_time.so PAM module to /etc/pam.d/sshd, as follows:

#%PAM-1.0
account    required     pam_time.so
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_limits.so
session    optional     pam_console.so

The pam_time.so module comes first, so that it is the very first thing that is
checked. If that module doesn't give sshd a green light, that's the end of it:
no access.
That's the meaning of "required": the module has to say that it is happy.
The "account" type is specified here.
The "man Linux-PAM" (or sometimes just "man pam") gives us the following:

       account - provide account verification types of service: has the user's
       password expired?; is this user permitted access to the requested  ser-
       vice?

       auth - authentication: establish user is who they claim to be. Typically
       this is via some challenge-response request that the user must satisfy:
       if  you  are  who  you claim to be please enter your password.  Not all
       authentications are of this type, there exist hardware based  authenti-
       cation  schemes (such as the use of smart-cards and biometric devices),
       with suitable modules, these may be  substituted  seamlessly  for  more
       standard  approaches  to  authentication  -  such is the flexibility of
       Linux-PAM.

       password - this group's responsibility is the task of updating  authen-
       tication  mechanisms.  Typically, such services are strongly coupled to
       those of the auth group. Some authentication mechanisms lend themselves
       well  to  being  updated  with such a function. Standard UN*X password-
       based access is the obvious example: please enter a  replacement  pass-
       word.

       session - this group of tasks cover things that should be done prior to
       a service being given and after it is withdrawn. Such tasks include the
       maintenance  of audit trails and the mounting of the user's home direc-
       tory. The session management group is important as it provides both  an
       opening  and  closing hook for modules to affect the services available
       to a user.

The distinction between "account" and "session" is a little confusing.
Remember, "session" happens AFTER "auth". The older PAM manual said:

      auth modules provide the actual authentication, perhaps asking
      for and checking a password, and they set "credentials" such
      as group membership or kerberos "tickets."

      account modules check to make sure that the authentication
      is allowed (the account has not expired, the user is allowed
      to log in at this time of day, and so on).

      password modules are used to set passwords.

      session modules are used once a user has been authenticated
      to allow them to use their account, perhaps mounting the
      user's home directory or making their mailbox available.

Other
~~~~~
What if a PAM aware app doesn't have a file in the /etc/pam.d directory?
In that case, it uses the file "/etc/pam.d/other".

There are many, many useful and clever PAM modules.
See:
  http://www.kernel.org/pub/linux/libs/pam/modules.html

More information about the conspire mailing list