[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

For those who care about pam-ssh: RFC



I have recently adopted the libpam-ssh package and made a lot changes in
the way the PAM module works.  In summary, the module did not work as
advertised, so I rewrote parts of it while trying to make as little
disruption as possible, but one cannot make an omelet...

Because of the security implications of changing a PAM module, I would
welcome some peer reviewing of the changes I have made.  The new package
has been uploaded to experimental, and the NEWS.Debian is as follows.
Also, I would like comments in general about the whether there are
better ways to solve the problems.

  * The PAM modules are now named 'ssh_auth' and 'ssh_session' which seems
    to be more in line with other PAM modules' names.
  
  * The 'keyfiles' option is now obsolete.  Instead the authentication
    module will automatically locate all files matching the pattern 'id_*'
    (the idea for this came from a patch from Javier Serrano Polo).

  * The 'try_first_pass' now works as advertised, namely by asking for an
    SSH passphrase if the password from the previous PAM module fails to
    unlock any of the user's SSH keys.

  * The 'debug' option now works as advertised, and the output goes into
    /var/log/auth.log .
  
  * No SSH passphrase will be asked if the user has no SSH keys.

Thanks in advance,
/JP
-- 
                                                    Jens Peter Secher.
_DD6A 05B0 174E BFB2 D4D9 B52E 0EE5 978A FE63 E8A1 jpsecher gmail com_.
A. Because it breaks the logical sequence of discussion.
Q. Why is top posting bad?

Attachment: pgpuA4ce1BR7c.pgp
Description: PGP signature


Reply to: