Re: Bug#156257: ITP: libpam-ssh -- SSH key authentication and single sign-on via PAM

To: Bernd Eckenfels <lists@lina.inka.de>, debian-devel@lists.debian.org
Subject: Re: Bug#156257: ITP: libpam-ssh -- SSH key authentication and single sign-on via PAM
From: Russell Coker <russell@coker.com.au>
Date: Sun, 11 Aug 2002 10:46:30 +0200
Message-id: <[🔎] 20020811084630.C9623864E@lyta.coker.com.au>
Reply-to: Russell Coker <russell@coker.com.au>
In-reply-to: <[🔎] 20020811064350.GA18265@lina.inka.de>
References: <[🔎] E17diLC-0000V6-00@jones.argon.org> <[🔎] 20020811062731.GA26506@stradivarius.ressukka.net> <[🔎] 20020811064350.GA18265@lina.inka.de>

On Sun, 11 Aug 2002 08:43, Bernd Eckenfels wrote:
> On Sun, Aug 11, 2002 at 09:27:31AM +0300, Sami Haahtinen wrote:
> > I argee with Russell that the package should come with a BIG warning
> > sign.
>
> well, if you have writ access to the users home you can always take over
> his account. For example a trojan .bashrc. It would be a bit more easy with
> ssh pam, but not much more. I do not think we should warn the user in
> debconf time. But we should not enable the module on default.

It's simple to recover from a trojaned .bashrc (once you've worked out it's 
there).  ssh to a friend's account on the same machine and then do a ftp to 
localhost into your account and rm the file.

For .bashrc in particular you can also just su to your account to avoid it, 
but I'm not certain that all shells allow you to avoid all dot-files on su.

ssh-pam makes it a bit easier for a hostile user to stuff things up and a bit 
harder for legit users to fix things.  Also less experienced administrators 
(most administrators?) will be unable to work this out for themselves.

I think that a warning in debconf is the minimum.  I'd prefer to have it 
excluded from Debian but I doubt I'll get people to agree to that.

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

Reply to:

Follow-Ups:
- Re: Bug#156257: ITP: libpam-ssh -- SSH key authentication and single sign-on via PAM
  - From: Bernd Eckenfels <lists@lina.inka.de>

References:
- Bug#156257: ITP: libpam-ssh -- <Roderick> I didn't write it, I'm just working on it. It authenticates you by u
  - From: Roderick Schertler <roderick@argon.org>
- Re: Bug#156257: ITP: libpam-ssh -- SSH key authentication and single sign-on via PAM
  - From: ressu@ressukka.net (Sami Haahtinen)
- Re: Bug#156257: ITP: libpam-ssh -- SSH key authentication and single sign-on via PAM
  - From: Bernd Eckenfels <lists@lina.inka.de>

Prev by Date: Archive link at the end of each post?
Next by Date: Re: Archive link at the end of each post?
Previous by thread: Re: Bug#156257: ITP: libpam-ssh -- SSH key authentication and single sign-on via PAM
Next by thread: Re: Bug#156257: ITP: libpam-ssh -- SSH key authentication and single sign-on via PAM
Index(es):
- Date
- Thread