[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: HEAD's UP: possible 0day SSH exploit in the wild

On Wed, Jul 08, 2009 at 02:03:57PM -0700, Roger Bumgarner wrote:
> As far as I know, it does keys first then falls back to passwords. I'd
> imagine PAM could help, but I'm not knowledgeable enough in regards to
> that. I know you're only limited by your imagination when it comes to
> PAM authentication. SSH-keys can (and should!) be password-protected
> already.

One of the big problems with ssh keys, though, is that there's no way
for an admin to force a user's key to be password protected.  On
occasion, when there are other restrictions in place, passwordless keys
are a good thing and can be used safely, but when used to access a
user's account, they're always bad.

Also, since ssh public key auth isn't handled by PAM, I don't believe
there's a way to use PAM to require both keys and passwords.  I could be
wrong, though.  My users would shoot me if I ever tried such a thing.
(Plus we've got Kerberos and don't usually mess around with keys or

Not that any of this will help if this alleged sshd vulnerability can be
triggered prior to authentication.


Attachment: signature.asc
Description: Digital signature

Reply to: