I have a 3-yr-old child whose password is the same as his username
(michael/michael). This is done because he is able to type that in to
log in and play a couple of simple games, tuxpaint, kids.pbs.org, etc.

Of course, such a password is really bad for a machine connected to the
Internet. The only firewall hole I have punched is for ssh, port 22,
and I've set up /etc/pam.d/sshd to have

auth required pam_listfile.so onerr=fail item=user
sense=allow file=/etc/sshd.allow

and /etc/sshd.allow to have only my account:
lenny


This has always worked for me, with my account & strong password
being the only way into the box from the outside.

A few days ago, I noticed that my son's password had been changed. I
figured he must have clicked on a dialog to change it from his desktop,
so I changed it back. A few days later, I noticed bandwidth and cpu
usage spiked from procs running under his ID that I don't recognize. I
noticed that someone had installed priv8, scann, and a couple of other
rootkit/tarballs in his home directory, and is using them to try to get
control of other machines. Luckily, the attacker wasn't able to
compromise anything else on the system -- they weren't able to get a
local root elevation and the system is otherwise (verifiably) intact
(thank you rpm -Va!). I changed his password and can now see attempts
at getting in via ssh fail. No more abnormal activity on the box.

Somehow, my pam.d configs don't seem to work anymore -- sshd allows
any local user in except those excluded in /etc/ssh/sshd_config
explicitly (i.e., root). What would cause this? This all seemed to
stop working when I upgraded from Fedora Core 3 to FC4, and try as I
might to twiddle pam.d settings and restart services, they seem to be
ignored. How can I check to see that pam is working? What else could
be wrong? I'd really like to go back to only allowing myself in from
the outside...

Thanks,
Lenny.