Re: Bug#156257: ITP: libpam-ssh -- SSH key authentication and single sign-on via PAM
On Sun, Aug 11, 2002 at 08:43:50AM +0200, Bernd Eckenfels wrote:
> On Sun, Aug 11, 2002 at 09:27:31AM +0300, Sami Haahtinen wrote:
> > I argee with Russell that the package should come with a BIG warning
> > sign.
>
> well, if you have writ access to the users home you can always take over his
> account. For example a trojan .bashrc. It would be a bit more easy with ssh
> pam, but not much more. I do not think we should warn the user in debconf
> time. But we should not enable the module on default.
A trojaned .bashrc is different. You can do a lot by messing with one's
.bashrc, but being able to change one's own password is a unique power.
--
Carlos Laviola < claviola@debian.org >
Debian GNU/Linux <http://www.debian.org>
Reply to: