pam_ssh problems

[Daniel O'Connor]

I have used pam_ssh before, and I have the following in /etc/pam.d/system :-
# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ldap.so             no_warn try_first_pass
auth            sufficient      pam_ssh.so              no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass nullok

(ie what the committed version suggests).

Just recently (last week or so) I have noticed that pam_ssh will let me 
login with _any_ password (empty, or just plain wrong)! :(

If I get the passphrase wrong I login, but the key is not added to
the agent (at least something is right :) It didn't used to do this
however..

I just found that I had made a id_rsa file for testing purposes with no 
passphrase on it. While that was a little dumb it seems very odd that
pam_ssh would let me in with any password - I think it would make
more sense to reject keys with no passphrase for authenitcation (with
say a nullok option).

I think I'll work on a patch.

Basically this is a heads up for anyone else that uses pam_ssh to be
a bit careful :)

-- 
Daniel O'Connor software and network engineer
for Genesis Software - http://www.gsoft.com.au
"The nice thing about standards is that there
are so many of them to choose from."
  -- Andrew Tanenbaum
GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20050518/452899d5/attachment.bin