[PATCH 1/2] openssh: package sshd PAM config inside openssh-sshd package

Openembedded Core Discussions
 help / color / mirror / Atom feed

* [PATCH 1/2] openssh: package sshd PAM config inside openssh-sshd package
@ 2013-10-11 13:37 Koen Kooi
  2013-10-11 13:37 ` [PATCH 2/2] openssh: allow empty passwords if PAM allows it as well Koen Kooi
  0 siblings, 1 reply; 9+ messages in thread
From: Koen Kooi @ 2013-10-11 13:37 UTC (permalink / raw)
  To: openembedded-core

Without this PAM integration is broken after installing openssh-sshd

Signed-off-by: Koen Kooi <koen@dominion.thruhere.net>
---
 meta/recipes-connectivity/openssh/openssh_6.2p2.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-connectivity/openssh/openssh_6.2p2.bb b/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
index bb5c79e..4b44bf4 100644
--- a/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
+++ b/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
@@ -120,7 +120,7 @@ PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc $
 FILES_${PN}-scp = "${bindir}/scp.${BPN}"
 FILES_${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"
 FILES_${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd"
-FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd"
+FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"
 FILES_${PN}-sftp = "${bindir}/sftp"
 FILES_${PN}-sftp-server = "${libexecdir}/sftp-server"
 FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*"
-- 
1.8.3.1



^ permalink raw reply related	[flat|nested] 9+ messages in thread

* [PATCH 2/2] openssh: allow empty passwords if PAM allows it as well
  2013-10-11 13:37 [PATCH 1/2] openssh: package sshd PAM config inside openssh-sshd package Koen Kooi
@ 2013-10-11 13:37 ` Koen Kooi
  2013-10-12  8:37   ` Richard Purdie
  0 siblings, 1 reply; 9+ messages in thread
From: Koen Kooi @ 2013-10-11 13:37 UTC (permalink / raw)
  To: openembedded-core

Signed-off-by: Koen Kooi <koen@dominion.thruhere.net>
---
 meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
index 4f9b626..175e8f3 100644
--- a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
+++ b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
@@ -59,7 +59,7 @@ Protocol 2
 
 # To disable tunneled clear text passwords, change to no here!
 #PasswordAuthentication yes
-#PermitEmptyPasswords no
+PermitEmptyPasswords yes
 
 # Change to no to disable s/key passwords
 #ChallengeResponseAuthentication yes
-- 
1.8.3.1



^ permalink raw reply related	[flat|nested] 9+ messages in thread

* Re: [PATCH 2/2] openssh: allow empty passwords if PAM allows it as well
  2013-10-11 13:37 ` [PATCH 2/2] openssh: allow empty passwords if PAM allows it as well Koen Kooi
@ 2013-10-12  8:37   ` Richard Purdie
  2013-10-13 10:01     ` Koen Kooi
  0 siblings, 1 reply; 9+ messages in thread
From: Richard Purdie @ 2013-10-12  8:37 UTC (permalink / raw)
  To: Koen Kooi; +Cc: openembedded-core

On Fri, 2013-10-11 at 15:37 +0200, Koen Kooi wrote:
> Signed-off-by: Koen Kooi <koen@dominion.thruhere.net>
> ---
>  meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
> index 4f9b626..175e8f3 100644
> --- a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
> +++ b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
> @@ -59,7 +59,7 @@ Protocol 2
>  
>  # To disable tunneled clear text passwords, change to no here!
>  #PasswordAuthentication yes
> -#PermitEmptyPasswords no
> +PermitEmptyPasswords yes
>  
>  # Change to no to disable s/key passwords
>  #ChallengeResponseAuthentication yes

I'm struggling to connect the "if PAM allows it as well" part of the
shortlog to this change? How is this conditional on PAM?

Cheers,

Richard



^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH 2/2] openssh: allow empty passwords if PAM allows it as well
  2013-10-12  8:37   ` Richard Purdie
@ 2013-10-13 10:01     ` Koen Kooi
  2013-10-13 13:39       ` Richard Purdie
  0 siblings, 1 reply; 9+ messages in thread
From: Koen Kooi @ 2013-10-13 10:01 UTC (permalink / raw)
  To: Richard Purdie; +Cc: openembedded-core


Op 12 okt. 2013, om 10:37 heeft Richard Purdie <richard.purdie@linuxfoundation.org> het volgende geschreven:

> On Fri, 2013-10-11 at 15:37 +0200, Koen Kooi wrote:
>> Signed-off-by: Koen Kooi <koen@dominion.thruhere.net>
>> ---
>> meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>> 
>> diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
>> index 4f9b626..175e8f3 100644
>> --- a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
>> +++ b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
>> @@ -59,7 +59,7 @@ Protocol 2
>> 
>> # To disable tunneled clear text passwords, change to no here!
>> #PasswordAuthentication yes
>> -#PermitEmptyPasswords no
>> +PermitEmptyPasswords yes
>> 
>> # Change to no to disable s/key passwords
>> #ChallengeResponseAuthentication yes
> 
> I'm struggling to connect the "if PAM allows it as well" part of the
> shortlog to this change? How is this conditional on PAM?

If PAM disallows empty passwords this option doesn't do anything. The PAM rules run before the openssh config options get applied.

regards,

Koen

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH 2/2] openssh: allow empty passwords if PAM allows it as well
  2013-10-13 10:01     ` Koen Kooi
@ 2013-10-13 13:39       ` Richard Purdie
  2013-10-13 15:30         ` Koen Kooi
  0 siblings, 1 reply; 9+ messages in thread
From: Richard Purdie @ 2013-10-13 13:39 UTC (permalink / raw)
  To: Koen Kooi; +Cc: openembedded-core

On Sun, 2013-10-13 at 12:01 +0200, Koen Kooi wrote:
> Op 12 okt. 2013, om 10:37 heeft Richard Purdie <richard.purdie@linuxfoundation.org> het volgende geschreven:
> 
> > On Fri, 2013-10-11 at 15:37 +0200, Koen Kooi wrote:
> >> Signed-off-by: Koen Kooi <koen@dominion.thruhere.net>
> >> ---
> >> meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config | 2 +-
> >> 1 file changed, 1 insertion(+), 1 deletion(-)
> >> 
> >> diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
> >> index 4f9b626..175e8f3 100644
> >> --- a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
> >> +++ b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
> >> @@ -59,7 +59,7 @@ Protocol 2
> >> 
> >> # To disable tunneled clear text passwords, change to no here!
> >> #PasswordAuthentication yes
> >> -#PermitEmptyPasswords no
> >> +PermitEmptyPasswords yes
> >> 
> >> # Change to no to disable s/key passwords
> >> #ChallengeResponseAuthentication yes
> > 
> > I'm struggling to connect the "if PAM allows it as well" part of the
> > shortlog to this change? How is this conditional on PAM?
> 
> If PAM disallows empty passwords this option doesn't do anything. The
> PAM rules run before the openssh config options get applied.

What if PAM isn't being used?

Cheers,

Richard



^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH 2/2] openssh: allow empty passwords if PAM allows it as well
  2013-10-13 13:39       ` Richard Purdie
@ 2013-10-13 15:30         ` Koen Kooi
  2013-10-14  8:25           ` Richard Purdie
  0 siblings, 1 reply; 9+ messages in thread
From: Koen Kooi @ 2013-10-13 15:30 UTC (permalink / raw)
  To: Richard Purdie; +Cc: openembedded-core


Op 13 okt. 2013, om 15:39 heeft Richard Purdie <richard.purdie@linuxfoundation.org> het volgende geschreven:

> On Sun, 2013-10-13 at 12:01 +0200, Koen Kooi wrote:
>> Op 12 okt. 2013, om 10:37 heeft Richard Purdie <richard.purdie@linuxfoundation.org> het volgende geschreven:
>> 
>>> On Fri, 2013-10-11 at 15:37 +0200, Koen Kooi wrote:
>>>> Signed-off-by: Koen Kooi <koen@dominion.thruhere.net>
>>>> ---
>>>> meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config | 2 +-
>>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>> 
>>>> diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
>>>> index 4f9b626..175e8f3 100644
>>>> --- a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
>>>> +++ b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
>>>> @@ -59,7 +59,7 @@ Protocol 2
>>>> 
>>>> # To disable tunneled clear text passwords, change to no here!
>>>> #PasswordAuthentication yes
>>>> -#PermitEmptyPasswords no
>>>> +PermitEmptyPasswords yes
>>>> 
>>>> # Change to no to disable s/key passwords
>>>> #ChallengeResponseAuthentication yes
>>> 
>>> I'm struggling to connect the "if PAM allows it as well" part of the
>>> shortlog to this change? How is this conditional on PAM?
>> 
>> If PAM disallows empty passwords this option doesn't do anything. The
>> PAM rules run before the openssh config options get applied.
> 
> What if PAM isn't being used?

I haven't tested that, but I suspect it will only allow empty passwords if you set it to 'yes'.

regards,

Koen



^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH 2/2] openssh: allow empty passwords if PAM allows it as well
  2013-10-13 15:30         ` Koen Kooi
@ 2013-10-14  8:25           ` Richard Purdie
  2013-10-14  8:51             ` Koen Kooi
  0 siblings, 1 reply; 9+ messages in thread
From: Richard Purdie @ 2013-10-14  8:25 UTC (permalink / raw)
  To: Koen Kooi; +Cc: openembedded-core

On Sun, 2013-10-13 at 17:30 +0200, Koen Kooi wrote:
> Op 13 okt. 2013, om 15:39 heeft Richard Purdie <richard.purdie@linuxfoundation.org> het volgende geschreven:
> 
> > On Sun, 2013-10-13 at 12:01 +0200, Koen Kooi wrote:
> >> Op 12 okt. 2013, om 10:37 heeft Richard Purdie <richard.purdie@linuxfoundation.org> het volgende geschreven:
> >> 
> >>> On Fri, 2013-10-11 at 15:37 +0200, Koen Kooi wrote:
> >>>> Signed-off-by: Koen Kooi <koen@dominion.thruhere.net>
> >>>> ---
> >>>> meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config | 2 +-
> >>>> 1 file changed, 1 insertion(+), 1 deletion(-)
> >>>> 
> >>>> diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
> >>>> index 4f9b626..175e8f3 100644
> >>>> --- a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
> >>>> +++ b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
> >>>> @@ -59,7 +59,7 @@ Protocol 2
> >>>> 
> >>>> # To disable tunneled clear text passwords, change to no here!
> >>>> #PasswordAuthentication yes
> >>>> -#PermitEmptyPasswords no
> >>>> +PermitEmptyPasswords yes
> >>>> 
> >>>> # Change to no to disable s/key passwords
> >>>> #ChallengeResponseAuthentication yes
> >>> 
> >>> I'm struggling to connect the "if PAM allows it as well" part of the
> >>> shortlog to this change? How is this conditional on PAM?
> >> 
> >> If PAM disallows empty passwords this option doesn't do anything. The
> >> PAM rules run before the openssh config options get applied.
> > 
> > What if PAM isn't being used?
> 
> I haven't tested that, but I suspect it will only allow empty passwords if you set it to 'yes'.

Let me put this a different way. I think this commit allows empty
passwords for users both using PAM and those who are not. I think the
commit message needs to clearly say that as its a fairly serious
security change for both cases.

I'm not actually sure this makes sense as a default and it may be better
off being configurable, defaulting to off...

Cheers,

Richard



^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH 2/2] openssh: allow empty passwords if PAM allows it as well
  2013-10-14  8:25           ` Richard Purdie
@ 2013-10-14  8:51             ` Koen Kooi
  2013-10-14  9:32               ` Richard Purdie
  0 siblings, 1 reply; 9+ messages in thread
From: Koen Kooi @ 2013-10-14  8:51 UTC (permalink / raw)
  To: Richard Purdie; +Cc: openembedded-core


Op 14 okt. 2013, om 10:25 heeft Richard Purdie <richard.purdie@linuxfoundation.org> het volgende geschreven:

> On Sun, 2013-10-13 at 17:30 +0200, Koen Kooi wrote:
>> Op 13 okt. 2013, om 15:39 heeft Richard Purdie <richard.purdie@linuxfoundation.org> het volgende geschreven:
>> 
>>> On Sun, 2013-10-13 at 12:01 +0200, Koen Kooi wrote:
>>>> Op 12 okt. 2013, om 10:37 heeft Richard Purdie <richard.purdie@linuxfoundation.org> het volgende geschreven:
>>>> 
>>>>> On Fri, 2013-10-11 at 15:37 +0200, Koen Kooi wrote:
>>>>>> Signed-off-by: Koen Kooi <koen@dominion.thruhere.net>
>>>>>> ---
>>>>>> meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config | 2 +-
>>>>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>>>> 
>>>>>> diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
>>>>>> index 4f9b626..175e8f3 100644
>>>>>> --- a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
>>>>>> +++ b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
>>>>>> @@ -59,7 +59,7 @@ Protocol 2
>>>>>> 
>>>>>> # To disable tunneled clear text passwords, change to no here!
>>>>>> #PasswordAuthentication yes
>>>>>> -#PermitEmptyPasswords no
>>>>>> +PermitEmptyPasswords yes
>>>>>> 
>>>>>> # Change to no to disable s/key passwords
>>>>>> #ChallengeResponseAuthentication yes
>>>>> 
>>>>> I'm struggling to connect the "if PAM allows it as well" part of the
>>>>> shortlog to this change? How is this conditional on PAM?
>>>> 
>>>> If PAM disallows empty passwords this option doesn't do anything. The
>>>> PAM rules run before the openssh config options get applied.
>>> 
>>> What if PAM isn't being used?
>> 
>> I haven't tested that, but I suspect it will only allow empty passwords if you set it to 'yes'.
> 
> Let me put this a different way. I think this commit allows empty
> passwords for users both using PAM and those who are not.

Right

> I think the
> commit message needs to clearly say that as its a fairly serious
> security change for both cases.

Right again.

> I'm not actually sure this makes sense as a default and it may be better
> off being configurable, defaulting to off...

Allowing passwordless (well, null passwords to be exact) logins is the current default for both PAM and dropbear, openssh is the odd one out. I don't really care what the default should be, just that all 3 should use the same :)

So should I resubmit this patch with an amended commit message or rework it and change the defaults in PAM and dropbear as well?

regards,

Koen

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH 2/2] openssh: allow empty passwords if PAM allows it as well
  2013-10-14  8:51             ` Koen Kooi
@ 2013-10-14  9:32               ` Richard Purdie
  0 siblings, 0 replies; 9+ messages in thread
From: Richard Purdie @ 2013-10-14  9:32 UTC (permalink / raw)
  To: Koen Kooi; +Cc: openembedded-core

On Mon, 2013-10-14 at 10:51 +0200, Koen Kooi wrote:
> Op 14 okt. 2013, om 10:25 heeft Richard Purdie <richard.purdie@linuxfoundation.org> het volgende geschreven:
> 
> > On Sun, 2013-10-13 at 17:30 +0200, Koen Kooi wrote:
> >> Op 13 okt. 2013, om 15:39 heeft Richard Purdie <richard.purdie@linuxfoundation.org> het volgende geschreven:
> >> 
> >>> On Sun, 2013-10-13 at 12:01 +0200, Koen Kooi wrote:
> >>>> Op 12 okt. 2013, om 10:37 heeft Richard Purdie <richard.purdie@linuxfoundation.org> het volgende geschreven:
> >>>> 
> >>>>> On Fri, 2013-10-11 at 15:37 +0200, Koen Kooi wrote:
> >>>>>> Signed-off-by: Koen Kooi <koen@dominion.thruhere.net>
> >>>>>> ---
> >>>>>> meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config | 2 +-
> >>>>>> 1 file changed, 1 insertion(+), 1 deletion(-)
> >>>>>> 
> >>>>>> diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
> >>>>>> index 4f9b626..175e8f3 100644
> >>>>>> --- a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
> >>>>>> +++ b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
> >>>>>> @@ -59,7 +59,7 @@ Protocol 2
> >>>>>> 
> >>>>>> # To disable tunneled clear text passwords, change to no here!
> >>>>>> #PasswordAuthentication yes
> >>>>>> -#PermitEmptyPasswords no
> >>>>>> +PermitEmptyPasswords yes
> >>>>>> 
> >>>>>> # Change to no to disable s/key passwords
> >>>>>> #ChallengeResponseAuthentication yes
> >>>>> 
> >>>>> I'm struggling to connect the "if PAM allows it as well" part of the
> >>>>> shortlog to this change? How is this conditional on PAM?
> >>>> 
> >>>> If PAM disallows empty passwords this option doesn't do anything. The
> >>>> PAM rules run before the openssh config options get applied.
> >>> 
> >>> What if PAM isn't being used?
> >> 
> >> I haven't tested that, but I suspect it will only allow empty passwords if you set it to 'yes'.
> > 
> > Let me put this a different way. I think this commit allows empty
> > passwords for users both using PAM and those who are not.
> 
> Right
> 
> > I think the
> > commit message needs to clearly say that as its a fairly serious
> > security change for both cases.
> 
> Right again.
> 
> > I'm not actually sure this makes sense as a default and it may be better
> > off being configurable, defaulting to off...
> 
> Allowing passwordless (well, null passwords to be exact) logins is the
> current default for both PAM and dropbear, openssh is the odd one out.
> I don't really care what the default should be, just that all 3 should
> use the same :)

Agreed, and I wish you'd said that in the original commit message as it
does make a difference ;-).

> So should I resubmit this patch with an amended commit message or
> rework it and change the defaults in PAM and dropbear as well?

I'd resend with a revised commit message including the above
justification. I'm not guaranteeing I'll take it, I'm hoping we'll get
some further discussion on the subject.

I think ultimately we need to have a config option for this which pam,
dropbear and openssh all honour. Could you add an enhancement request to
the Yocto bugzilla to that end please? That way people can clearly opt
in to specific configurations. I think its important to get security
details like this right.

Cheers,

Richard






^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2013-10-14  9:32 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-10-11 13:37 [PATCH 1/2] openssh: package sshd PAM config inside openssh-sshd package Koen Kooi
2013-10-11 13:37 ` [PATCH 2/2] openssh: allow empty passwords if PAM allows it as well Koen Kooi
2013-10-12  8:37   ` Richard Purdie
2013-10-13 10:01     ` Koen Kooi
2013-10-13 13:39       ` Richard Purdie
2013-10-13 15:30         ` Koen Kooi
2013-10-14  8:25           ` Richard Purdie
2013-10-14  8:51             ` Koen Kooi
2013-10-14  9:32               ` Richard Purdie

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox