[Petr Šťastný] > I just dug more deeply into this problem. > > First problem: I found that pam_sshauth reads > /etc/ssh/ssh_known_hosts, which is not mentioned in manual page and I > was not able to figure auth which known_hosts file is used. I had to > have a look into source code.
Good to hear that it is reading the global file. > Second problem: pam_sshauth seems not to write anything into > /etc/ssh/ssh_known_hosts although manual page states that "If > contacting a host for which we don't have an entry in known_hosts, > ask, via the pam prompts, if you'd like to trust this host, and add it > to your known_hosts file. The default will be to fail the > authentication." I interpret this information as it should add the > host into ssh_known_hosts when I say "yes". But there is nothing about > saving the host key in pam_sshauth's source code. Good to see that it is not writing in the global file. I suspect it should be made clear in the documentation. That global file should be updated "out of band" like you describe here: > Third and main problem: pam_sshauth does not work with hashed > known_hosts entries, which is default behavior in Debian Jessie (at > least, I don't know the situation in previous releases). > > If I create /etc/ssh/ssh_known_hosts manually using the following > command, it works: > > ssh-keyscan X.X.X.X > /etc/ssh/ssh_known_hosts > > But this (which is Debian Jessie default) does not work (host > name/address output is hashed) - pam_sshauth ignore these entries: > > ssh-keyscan -H X.X.X.X > /etc/ssh/ssh_known_hosts I guess this is the real missing feature here. The pam module should understand the same global known_hosts file as the ssh client. I would also suggest to change the documentation to document that the ssh host to use MUST be listed in /etc/ssh/ssh_known_hosts, and remove the prompt about adding the host key to a file. -- Happy hacking Petter Reinholdtsen -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
