# PAM not so great idea



## Oko (Jul 24, 2015)

Some people got annoyed when I pointed out that PAM is not such a great idea and that should have never been brought from Linux just like SSSD.  Here is a little discussion which reveals that alleged "OpenSSH bug" might actually not be a bug and why is FreeBSD the most seriously affected.

http://marc.info/?l=openbsd-misc&m=143766047211907&w=2

Screw the OpenBSD crew (myself included) and our stupid ypldap daemon if you don't like us but do one good thing for your OS and take the clue from HP UNIX and alike how those things are done right.


----------



## RichardET (Jul 24, 2015)

So in the sshd_config  you need to uncomment this line and change the setting to no?

```
# Change to no to disable PAM authentication
#ChallengeResponseAuthentication yes
```

What the about the default of max tries = 6?  That should be lowered to 3?


----------



## junovitch@ (Jul 24, 2015)

What do you mean by "brought from Linux".  OpenPAM is an independent implementation that FreeBSD, NetBSD, DragonFlyBSD, and Mac OS all use.  See https://en.wikipedia.org/wiki/OpenPAM.


----------



## kpa (Jul 24, 2015)

PAM is certainly a great idea but the implementation is less than what is desired because it forces you to load untrusted code to your reviewed and verified application's address space *). I can't believe why no one has come up with something similar but using some kind of IPC solution for separating the authentication mechanisms from the application using them.

*) That's what plugins do in general but we are talking about security and authentication here.


----------

