Re: Bug#156257: ITP: libpam-ssh -- SSH key authentication and single sign-on via PAM

To: debian-devel@lists.debian.org
Subject: Re: Bug#156257: ITP: libpam-ssh -- SSH key authentication and single sign-on via PAM
From: ressu@ressukka.net (Sami Haahtinen)
Date: Sun, 11 Aug 2002 09:27:31 +0300
Message-id: <[🔎] 20020811062731.GA26506@stradivarius.ressukka.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20020811045929.88C45850B@lyta.coker.com.au>
References: <[🔎] E17diLC-0000V6-00@jones.argon.org> <[🔎] pzptwqysjw.fsf@eeyore.ibcinc.com> <[🔎] 20020811045929.88C45850B@lyta.coker.com.au>

On Sun, Aug 11, 2002 at 06:59:29AM +0200, Russell Coker wrote:
> On Sun, 11 Aug 2002 05:37, Roderick Schertler wrote:
> > The pam_ssh PAM module allows you to authenticate yourself by supplying
> > the passphrase for your SSH key (id_dsa, id_rsa, or identity in ~/.ssh).
> > Better yet, it can be to configured launch an ssh-agent and load the
> > decrypted key into it.  You supply your passphrase just once when you
> > log in, and you get an agent loaded with that key.
> 
> This includes a trojan, breaking the security on a network program you run 
> (such as an IRC client), or breaking the security on a network server that 
> runs as the user (EG a security hole in a finger daemon that takes affect 
> after it calls setuid() to go to the UID of the person being fingered).
> 
> This PAM module allows accounts to be cracked by people with less skill, 
> using less effort, and makes it more difficult for the real user to reclaim 
> their account.

This reminds me of the proof of concept SSH worm, which just copied it
over ssh to all hosts in your known hosts file (refusing keyboard
interactive login, so you end up failing if you don't have a key to that
host). This module would offer nice new breedingground for worms like
that.

I argee with Russell that the package should come with a BIG warning
sign.

Sami

-- 
			  -< Sami Haahtinen >-
      -[ Notify immediately if you do not receive this message ]-
	-< 2209 3C53 D0FB 041C F7B1  F908 A9B6 F730 B83D 761C >-

Reply to:

Follow-Ups:
- Re: Bug#156257: ITP: libpam-ssh -- SSH key authentication and single sign-on via PAM
  - From: Bernd Eckenfels <lists@lina.inka.de>

References:
- Bug#156257: ITP: libpam-ssh -- <Roderick> I didn't write it, I'm just working on it. It authenticates you by u
  - From: Roderick Schertler <roderick@argon.org>
- Bug#156257: ITP: libpam-ssh -- SSH key authentication and single sign-on via PAM
  - From: Roderick Schertler <roderick@argon.org>
- Re: Bug#156257: ITP: libpam-ssh -- SSH key authentication and single sign-on via PAM
  - From: Russell Coker <russell@coker.com.au>

Prev by Date: Re: debugging g++ 3.1 compiled apps
Next by Date: Re: Bug#156257: ITP: libpam-ssh -- SSH key authentication and single sign-on via PAM
Previous by thread: Re: Bug#156257: ITP: libpam-ssh -- SSH key authentication and single sign-on via PAM
Next by thread: Re: Bug#156257: ITP: libpam-ssh -- SSH key authentication and single sign-on via PAM
Index(es):
- Date
- Thread