Re: For those who care about pam-ssh: RFC

To: debian-devel@lists.debian.org
Subject: Re: For those who care about pam-ssh: RFC
From: Allan Wind <allan_wind@lifeintegrity.com>
Date: Sat, 6 Dec 2008 01:31:23 -0500
Message-id: <[🔎] 20081206063123.GX20519@lifeintegrity.com>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 87oczsnbp3.fsf@tarjan.ravneholm26.dk>
References: <[🔎] 87oczsnbp3.fsf@tarjan.ravneholm26.dk>

On 2008-12-03T23:19:52, Jens Peter Secher wrote:
>   * No SSH passphrase will be asked if the user has no SSH keys.

Is the idea to make the module optional if there is no private key?  It 
would be fine if the module is configured as optional (and perhaps 
sufficient?), but if the module is required then it leaks if the key 
exist and possible if the user exist or not.

I authenticate against my private key by having common-auth read:

auth required pam_ssh.so keyfiles=id_dsa

(i.e. not using pam_unix).  This currently leaks if the user is correct 
or not via different behavior / error message and bad by similar logic.


/Allan
-- 
Allan Wind
Life Integrity, LLC
http://lifeintegrity.com

Reply to:

Follow-Ups:
- Re: For those who care about pam-ssh: RFC
  - From: "Jens Peter Secher" <jps@debian.org>

References:
- For those who care about pam-ssh: RFC
  - From: Jens Peter Secher <jpsecher.noreply@gmail.com>

Prev by Date: Re: Packages still depending on GTK+ 1.2
Next by Date: Re: Packages still depending on GTK+ 1.2
Previous by thread: Re: For those who care about pam-ssh: RFC
Next by thread: Re: For those who care about pam-ssh: RFC
Index(es):
- Date
- Thread