Re: Bug#156257: ITP: libpam-ssh -- SSH key authentication and single sign-on via PAM

To: debian-devel@lists.debian.org
Subject: Re: Bug#156257: ITP: libpam-ssh -- SSH key authentication and single sign-on via PAM
From: Brian May <bam@debian.org>
Date: Mon, 12 Aug 2002 16:15:15 +1000
Message-id: <[🔎] 20020812061515.GM2149@snoopy.apana.org.au>
Mail-followup-to: Brian May <bam@debian.org>, debian-devel@lists.debian.org
In-reply-to: <[🔎] 20020811045929.88C45850B@lyta.coker.com.au>
References: <[🔎] E17diLC-0000V6-00@jones.argon.org> <[🔎] pzptwqysjw.fsf@eeyore.ibcinc.com> <[🔎] 20020811045929.88C45850B@lyta.coker.com.au>

On Sun, Aug 11, 2002 at 06:59:29AM +0200, Russell Coker wrote:
> Normally to change a user's password you have to be root or to know the old 
> password.  This prevents someone from completely taking over your account if 
> you leave your terminal logged in or get tricked into running a hostile 
> script.  This PAM module changes the regular Unix password semantics.
> 
> With such a PAM module installed anyone who can write to your home directory 
> can change your password.

I am not sure I see the problem?

(irrelevant side note: do you need to enter your old passphrase before changing
it?)

Unless of course, you think .ssh/authorized_keys is security risk for
exactly the same reasons?

Anbody who has write access to .ssh/authorized_keys can do exactly the
same thing as if he can change the users password.

Plus! Theres still more!

Anybody who does change .ssh/authorized_keys can do so in such a way
that the real user can still log in, so the real user may not
even notice anything is wrong.
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: Bug#156257: ITP: libpam-ssh -- SSH key authentication and single sign-on via PAM
  - From: Carlos Laviola <claviola@debian.org>
- Re: Bug#156257: ITP: libpam-ssh -- SSH key authentication and single sign-on via PAM
  - From: Peter Palfrader <weasel@debian.org>

References:
- Bug#156257: ITP: libpam-ssh -- <Roderick> I didn't write it, I'm just working on it. It authenticates you by u
  - From: Roderick Schertler <roderick@argon.org>
- Bug#156257: ITP: libpam-ssh -- SSH key authentication and single sign-on via PAM
  - From: Roderick Schertler <roderick@argon.org>
- Re: Bug#156257: ITP: libpam-ssh -- SSH key authentication and single sign-on via PAM
  - From: Russell Coker <russell@coker.com.au>

Prev by Date: Re: Bug#155576: To hack or not to hack
Next by Date: Re: Archive link at the end of each post?
Previous by thread: Re: Bug#156257: ITP: libpam-ssh -- SSH key authentication and single sign-on via PAM
Next by thread: Re: Bug#156257: ITP: libpam-ssh -- SSH key authentication and single sign-on via PAM
Index(es):
- Date
- Thread