[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: For those who care about pam-ssh: RFC

2008/12/3 Jens Peter Secher <jpsecher.noreply@gmail.com>:

> Because of the security implications of changing a PAM module, I would
> welcome some peer reviewing of the changes I have made.  The new package
> has been uploaded to experimental, and the NEWS.Debian is as follows.
> Also, I would like comments in general about the whether there are
> better ways to solve the problems.

As a user, I see a regression: I have @include (pam)-ssh-auth before
@include common-auth in my confguration, and I use two different
passwords for my local account and my ssh key;  this way if I know
I'll be networking I take the bother to type the long-and-very-secure
password to unlock my key and get acces to the computer, otherwise I
just hit enter and I'm asked for the simpler local password (I don't
think there's really a point in a strong password if someone has
physical access to the computer).
This doesn't work anymore out-of-the-box. Of course switching back to
the old behaviour is not a big deal, so I'm not complaining, just
wondering if this change makes the package better fitted to what the
user is expecting from it.
Maybe I'm the odd one, I don't know; let me just point that with the
new way the unlock of the key is not what grants you the access to the
machine (which is what I would think ssh-auth do), IFUC.
I also noted is that pam-ssh-auth and pam-ssh-session stayed in
/etc/pam.d after the upgrade, I don't know if this is intended.

Reply to: