configuring ssh & pam (OSX 10.5.2)

xaverius · 05-21-2008, 03:56 AM

Hi,
There's a user on my machine with no password, and I want to log in over ssh with that account.
Problem is, ssh seems to deny empty passwords.

I've been messing around with /etc/sshd_config, and discovered that:
a) "permitEmptyPasswords no" is set by default, but enabling it doesn't work, because (I think)...
b) "UsePAM yes" is set too.

So I ignored the sshd_config file, and went to /etc/pam.d/sshd, these were the settings:

Code:

auth       required       pam_nologin.so
auth       optional       pam_afpmount.so
auth       sufficient     pam_securityserver.so
auth       sufficient     pam_unix.so
auth       required       pam_deny.so
account    required       pam_securityserver.so
password   required       pam_deny.so
session    required       pam_launchd.so
session    optional       pam_afpmount.so

Setting "auth optional pam_deny.so" (instead of required) enabled me to log in using no password for that account, but apparently also disabled ALL passwords - anybody could log in with no password, and that's obviously not what I want.

Can't figure out what to do now, so I hope there's somebody who can tell me what to do?

Nathanael · 05-21-2008, 04:47 AM

why do you not set a password for that specific user, and setup ssh key authentication?

xaverius · 05-21-2008, 05:00 AM

because it's not my account, and that user doesn't want one...
I just wanted to know: why does ssh deny empty passwords by default, and how do I change that?

Nathanael · 05-21-2008, 05:06 AM

it denys it because it's a security problem otherwise!

you could still setup an ssh key authentication without the user having a password.

do this by running ssh-keygen on your computer, and add the contents of the file ~/.ssh/id_(rsa|dsa).pub to the users ~/.ssh/authorized_keys file on the remote host.

there are also some settings in the sshd file you could change, in case this is disabled by default on os x