Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I have disabled PAM by default on all my boxes that run sshd for the last 9 years out of habit, I long ago forgot the reason why (probably because the gentoo sshd handbook entry said it was a good idea). Why UsePAM is set to yes in sshd_config by default on many distros is beyond me.


Because PAM is the default authentication framework on all those distros. Yes, it's a disaster of complexity and something pretty much no one understands. But it's what we have.

Maybe a rearchitected replacement will land in systemd someday...


Or in pulseaudio as a master troll.


Would that be systemd-pamd or s-pamd?


Key problem: aside from PAM, there is no way to use TOTP-based 2FA on your SSH server. And any modern security setup requires 2FA.


OpenBSD has bsd_auth and it works well with things like googleauth (HOTP, TOTP), s/key, etc.

I think the problem is that somehow everyone ended up with PAM and are now somewhat stuck with it. FreeBSD too.


Good to know, thanks! I hope this gets ported to Debian/Ubuntu... I wish it shipped with built-in 2FA capability.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: