svn commit: r304626 - head/lib/libpam/modules/pam_ssh
Eric van Gyzen
vangyzen at FreeBSD.org
Mon Aug 22 20:01:51 UTC 2016
I had never looked at pam_ssh before. Does it really ignore authorized_keys and
allow authentication using any of the default key file names? After a quick
read of the code, that certainly seems to be the case. Does anyone else find
that alarming? Sure, it's in my ~/.ssh directory and has appropriate
permissions, but that doesn't mean I want to use it for authentication to this
machine (or any machine sharing this home directory). That's what
authorized_keys is for. I might have created it only to authenticate from this
machine to another one. I might have even given it an empty passphrase because
that other machine is disposable and I don't really care about it.
Eric
On 08/22/2016 14:27, Ollivier Robert wrote:
> Author: roberto
> Date: Mon Aug 22 19:27:20 2016
> New Revision: 304626
> URL: https://svnweb.freebsd.org/changeset/base/304626
>
> Log:
> Add support for Ed25519 keys.
>
> Reported by: mwlucas
> MFH: 2 weeks
>
> Modified:
> head/lib/libpam/modules/pam_ssh/pam_ssh.8
> head/lib/libpam/modules/pam_ssh/pam_ssh.c
>
> Modified: head/lib/libpam/modules/pam_ssh/pam_ssh.8
> ==============================================================================
> --- head/lib/libpam/modules/pam_ssh/pam_ssh.8 Mon Aug 22 19:05:11 2016 (r304625)
> +++ head/lib/libpam/modules/pam_ssh/pam_ssh.8 Mon Aug 22 19:27:20 2016 (r304626)
> @@ -137,6 +137,8 @@ SSH2 RSA key
> SSH2 DSA key
> .It Pa $HOME/.ssh/id_ecdsa
> SSH2 ECDSA key
> +.It Pa $HOME/.ssh/id_ed25519
> +SSH2 Ed25519 key
> .El
> .Sh SEE ALSO
> .Xr ssh-agent 1 ,
>
> Modified: head/lib/libpam/modules/pam_ssh/pam_ssh.c
> ==============================================================================
> --- head/lib/libpam/modules/pam_ssh/pam_ssh.c Mon Aug 22 19:05:11 2016 (r304625)
> +++ head/lib/libpam/modules/pam_ssh/pam_ssh.c Mon Aug 22 19:27:20 2016 (r304626)
> @@ -81,6 +81,7 @@ static const char *pam_ssh_keyfiles[] =
> ".ssh/id_rsa", /* SSH2 RSA key */
> ".ssh/id_dsa", /* SSH2 DSA key */
> ".ssh/id_ecdsa", /* SSH2 ECDSA key */
> + ".ssh/id_ed25519", /* SSH2 Ed25519 key */
> NULL
> };
>
>
More information about the freebsd-security
mailing list