[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: For those who care about pam-ssh: RFC

On 2008-12-03T23:19:52, Jens Peter Secher wrote:
>   * No SSH passphrase will be asked if the user has no SSH keys.

Is the idea to make the module optional if there is no private key?  It 
would be fine if the module is configured as optional (and perhaps 
sufficient?), but if the module is required then it leaks if the key 
exist and possible if the user exist or not.

I authenticate against my private key by having common-auth read:

auth required pam_ssh.so keyfiles=id_dsa

(i.e. not using pam_unix).  This currently leaks if the user is correct 
or not via different behavior / error message and bad by similar logic.

Allan Wind
Life Integrity, LLC

Reply to: