![[LWN Logo]](/images/lwn.banner.gif)
Date: 28 Jan 1999 20:57:02 -0000
Message-ID: <19990128205702.32407.qmail@brouhaha.com>
From: Eric Smith <eric@brouhaha.com>
To: editor@lwn.net
Subject: SSH authorization problems: use PAM!
In the January 28 issue of Linux Weekly News, you reported a problem with SSH
allowing login with expired passwords, and quoted Aleph One:
It simply comes down to the fact that SSH, like all other services, must
check all available authorization policies before providing its service.
But the large set of possible restrictions implemented by different unix
flavors (account expiration, password expiration, time of day, source
location, load, etc) almost assure that it will miss some of them.
This is precisely why these authorization policies need to be implemented by
an external and extensible method such as PAM. It is foolish to build these
policies into SSH, such that SSH needs to be hacked every time someone invents
a new authorization policy. With PAM, a new policy such as expiring passwords
can be put in place simply by adding a single line to a PAM configuration
file.
The code for a new policy still has to be written, but by putting it into
a PAM module, the new policy can easily be used by all PAM-aware applications.
The RPMS for SSH on www.replay.com have been PAMified.
Eric Smith