Re: For those who care about pam-ssh: RFC
On 2008-12-03T23:19:52, Jens Peter Secher wrote:
> * No SSH passphrase will be asked if the user has no SSH keys.
Is the idea to make the module optional if there is no private key? It
would be fine if the module is configured as optional (and perhaps
sufficient?), but if the module is required then it leaks if the key
exist and possible if the user exist or not.
I authenticate against my private key by having common-auth read:
auth required pam_ssh.so keyfiles=id_dsa
(i.e. not using pam_unix). This currently leaks if the user is correct
or not via different behavior / error message and bad by similar logic.
Life Integrity, LLC