Re: For those who care about pam-ssh: RFC
2008/12/4 Vincent Zweije <vzweije@zweije.nl.eu.org>:
> On Thu, Dec 04, 2008 at 02:03:52AM -0800, Steve Langasek wrote:
>
> || On Wed, Dec 03, 2008 at 11:19:52PM +0100, Jens Peter Secher wrote:
> ||
> || > * The 'keyfiles' option is now obsolete. Instead the authentication
> || > module will automatically locate all files matching the pattern 'id_*'
> || > (the idea for this came from a patch from Javier Serrano Polo).
> ||
> || That doesn't sound like a good idea to me. What if a user has extra ssh
> || keys lying around that multiple people have the passphrase to, which prior
> || to this change would have been perfectly safe?
> ||
> || Also, why is the pattern id_*? ssh also recognizes 'identity' by default.
> || Shouldn't this really use the same pattern as ssh itself, i.e.,
> || (identity|id_dsa|id_rsa)?
>
> In addition I, and probably some others, have the habit of disabling
> files by adding a .OFF extension to it.
>
> This practice is based on the (in my view) reasonable assumption that
> programs should not be scanning directories for files to use unless
> those directories are specially intended for that purpose.
>
> It probably would be fine if there were a (documented) ~/.ssh/id.d/
> directory containing keys to be used (and nothing else).
>
That is a very good idea. But the id.d directory should probably
contain soft links to the actual keys to not interfere with the
standard location. Are the other packages which does something
similar?
If there are no objections, I will implement such a behaviour.
Cheers,
--
Jens Peter Secher.
_DD6A 05B0 174E BFB2 D4D9 B52E 0EE5 978A FE63 E8A1 jpsecher gmail com_.
A. Because it breaks the logical sequence of discussion.
Q. Why is top posting bad?
Reply to: