Re: Bug#156257: ITP: libpam-ssh -- SSH key authentication and single sign-on via PAM
On Sun, Aug 11, 2002 at 06:59:29AM +0200, Russell Coker wrote:
> Normally to change a user's password you have to be root or to know the old
> password. This prevents someone from completely taking over your account if
> you leave your terminal logged in or get tricked into running a hostile
> script. This PAM module changes the regular Unix password semantics.
>
> With such a PAM module installed anyone who can write to your home directory
> can change your password.
I am not sure I see the problem?
(irrelevant side note: do you need to enter your old passphrase before changing
it?)
Unless of course, you think .ssh/authorized_keys is security risk for
exactly the same reasons?
Anbody who has write access to .ssh/authorized_keys can do exactly the
same thing as if he can change the users password.
Plus! Theres still more!
Anybody who does change .ssh/authorized_keys can do so in such a way
that the real user can still log in, so the real user may not
even notice anything is wrong.
--
Brian May <bam@debian.org>
Reply to: