How to disable PAM password authentication, for SSHD, in CentOS 7.4

felix at kngnt.org felix at kngnt.org
Wed Apr 4 11:47:26 UTC 2018 

Hi all,

 For a small project I am collaborating on, I need to disable any possible password-based authentication in PAM, for SSH, so that the only authentication happens through a script called via pam_exec. This is how the sshd pam module looks, after having commented out the "auth substack password-auth" entry

 #%PAM-1.0
 auth required pam_sepermit.so
 auth sufficient pam_exec.so stdout /bin/script_auth.sh
 #auth substack password-auth
 auth include postlogin
 # Used with polkit to reauthorize users in remote sessions
 -auth optional pam_reauthorize.so prepare
 account required pam_nologin.so
 account include password-auth
 password include password-auth
 # pam_selinux.so close should be the first session rule
 session required pam_selinux.so close
 session required pam_loginuid.so
 # pam_selinux.so open should only be followed by sessions to be executed in the user context
 session required pam_selinux.so open env_params
 session required pam_namespace.so
 session optional pam_keyinit.so force revoke
 session include password-auth
 session include postlogin
 # Used with polkit to reauthorize users in remote sessions
 -session optional pam_reauthorize.so prepare

The contents of password-auth are the defaults:

 #%PAM-1.0
 # This file is auto-generated.
 # User changes will be destroyed the next time authconfig is run.
 auth required pam_env.so
 auth sufficient pam_unix.so nullok try_first_pass
 auth requisite pam_succeed_if.so uid >= 1000 quiet_success
 auth required pam_deny.so

 account required pam_unix.so
 account sufficient pam_localuser.so
 account sufficient pam_succeed_if.so uid < 1000 quiet
 account required pam_permit.so

 password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
 password required pam_deny.so

 session optional pam_keyinit.so revoke
 session required pam_limits.so
 -session optional pam_systemd.so
 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session required pam_unix.so

So my question is: does anybody know why am I getting a "Broken pipe" error when logging in with this module, and I can see on the server journal a pam_setcred error? How can I achieve my goal?

Thank you very much for your time,
Felix
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20180404/1eb9adc7/attachment.htm>

More information about the Pam-list mailing list