# Missing PAM file allows ssh access



## basse (Nov 12, 2012)

Hello.
If I remove the file /etc/pam.d/sshd, I can ssh with no password what so ever!
Is this how it's supposed to work? 
On my Ubuntu machine, no PAM file = no access, that's how I expect it to work.

Is it possible to make it work like on the Ubuntu machine?


----------



## mamalos (Nov 12, 2012)

Sorry man, I couldn't reproduce your problem. Are you sure it works that way? I moved and then removed sshd from /etc/pam.d, restarted *sshd* but the system kept on asking for a password. What is your /etc/rc.d/sshd_config? 

My system is:


```
# uname -a
FreeBSD example 9.0-STABLE FreeBSD 9.0-STABLE #0: Mon Jun 18 21:04:14 EEST 2012     root@example:/usr/obj/usr/src/sys/CUSTOM  amd64
```


----------



## redw0lfx (Nov 12, 2012)

I too checked, but couldn't reproduce.  Moved /etc/pam.d/sshd away from the pam.d directory and restarted sshd.  I was still prompted for a password when logging in as a user and as root.  Could you have maybe not set a password for the user or are using ssh keyfiles for authentication instead?

My system is:

```
FreeBSD 9.1-RC3 FreeBSD 9.1-RC3 #0 r242324: Tue Oct 30 00:58:57 UTC 2012    
 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
```


----------



## basse (Nov 13, 2012)

Sorry, I forgot that I also in an earlier stage had removed several more files in the pam.d dir...

1. remove _all_ files in the pam.d directory ( I think that the README-file in pam.d states that the "ohter"-file is used when the application-specific one is not found, thats why you probably still get prompted even with removed sshd files).
2. try to ssh with a working username
3. restart sshd
4. try to ssh with a working username

I can still login both in (2) and (4) without password.

I understand that it's really stupid to remove all files in the pam.d folder, but I'm still surprised that the default action is to allow rather than to deny.

I successfully tested this on fresh installed 8.1 & 9.1-rc3.

I have no better "proof" than my putty screenshots:
To the left, login with all pam files present, fist try, faulty password, no go.
Second try, correct pw, ok.
To the right, pam files removed, sshd restarted, it allows me in with no promt at all.
http://i.imgur.com/FNL9V.png

Again, maybe I'm just too much "what if", and this is how it's supposed to work, I just find it scary that a couple of lost files allows ssh access without a password.


Again, on my Ubuntu-machine, removed PAM-files will not allow me to login. (Even without a sshd restart).
If I'm already logged in, and try to use SUDO, it complains about a missing PAM file.

Disclaimer: I'm not an experienced freebsd-user at all, both my installs I tested this on was just freshly installed using the guided install with no changes to the default settings what so ever.


----------



## throAU (Nov 14, 2012)

If someone has write access to the /etc/pam.d directory, all bets are off anyway.

That said, the default behaviour seems a bit... strange.


----------

