[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: For those who care about pam-ssh: RFC

On Thu, Dec 04, 2008 at 02:03:52AM -0800, Steve Langasek wrote:

||  On Wed, Dec 03, 2008 at 11:19:52PM +0100, Jens Peter Secher wrote:
||  >   * The 'keyfiles' option is now obsolete.  Instead the authentication
||  >     module will automatically locate all files matching the pattern 'id_*'
||  >     (the idea for this came from a patch from Javier Serrano Polo).
||  That doesn't sound like a good idea to me.  What if a user has extra ssh
||  keys lying around that multiple people have the passphrase to, which prior
||  to this change would have been perfectly safe?
||  Also, why is the pattern id_*?  ssh also recognizes 'identity' by default.
||  Shouldn't this really use the same pattern as ssh itself, i.e.,
||  (identity|id_dsa|id_rsa)?

In addition I, and probably some others, have the habit of disabling
files by adding a .OFF extension to it.

This practice is based on the (in my view) reasonable assumption that
programs should not be scanning directories for files to use unless
those directories are specially intended for that purpose.

It probably would be fine if there were a (documented) ~/.ssh/id.d/
directory containing keys to be used (and nothing else).

Ciao.                                                        Vincent.
Vincent Zweije <zweije@xs4all.nl>    | "If you're flamed in a group you
<http://www.xs4all.nl/~zweije/>      | don't read, does anybody get burnt?"
[Xhost should be taken out and shot] |            -- Paul Tomblin on a.s.r.

Attachment: signature.asc
Description: Digital signature

Reply to: