I have recently adopted the libpam-ssh package and made a lot changes in
the way the PAM module works. In summary, the module did not work as
advertised, so I rewrote parts of it while trying to make as little
disruption as possible, but one cannot make an omelet...
Because of the security implications of changing a PAM module, I would
welcome some peer reviewing of the changes I have made. The new package
has been uploaded to experimental, and the NEWS.Debian is as follows.
Also, I would like comments in general about the whether there are
better ways to solve the problems.
* The PAM modules are now named 'ssh_auth' and 'ssh_session' which seems
to be more in line with other PAM modules' names.
* The 'keyfiles' option is now obsolete. Instead the authentication
module will automatically locate all files matching the pattern 'id_*'
(the idea for this came from a patch from Javier Serrano Polo).
* The 'try_first_pass' now works as advertised, namely by asking for an
SSH passphrase if the password from the previous PAM module fails to
unlock any of the user's SSH keys.
* The 'debug' option now works as advertised, and the output goes into
/var/log/auth.log .
* No SSH passphrase will be asked if the user has no SSH keys.
Thanks in advance,
/JP
--
Jens Peter Secher.
_DD6A 05B0 174E BFB2 D4D9 B52E 0EE5 978A FE63 E8A1 jpsecher gmail com_.
A. Because it breaks the logical sequence of discussion.
Q. Why is top posting bad?
Attachment:
pgpvqqmGQu3mS.pgp
Description: PGP signature