On Sun, 3 Oct 2021 03:25:54 +0300 Matti Kurkela <matti.kurk...@iki.fi> wrote:
Dear Kurkela, thanks for your report.
I apologies for my late reply.
Actually I agree with your comments.
My current set up on my main computer follows your comment below.
So far I can remember, I have never revisited the pam-auth-update(8)
configuration file of this package since I begun to maintain it.
Meanwhile, note that I put some warning in the README.Debian file.
Can you share your /etc/pam.d/login and /etc/pam.d/*dm files so that
I can compare with my set up ?
The workaround/fix for this would be to not let pam-auth-update add
pam_ssh.so into common-auth and common-session, but add the necessary
lines *selectively* only to services that handle local logins like
/etc/pam.d/login and /etc/pam.d/*dm, but *not* to /etc/pam.d/sshd.
That should allow libpam-ssh to start the agent on initial login, but
leave the SSH sessions and their agent forwarding alone.
If you need the "authentication by SSH key passphrase" functionality on
SSH connections, you could add only the "auth optional pam_ssh.so
try_first_pass" line to /etc/pam.d/sshd. (Note that this line should not
be the first authentication module, to prevent an information leak, as
described in the pam_ssh(8) man page.)
Cheers,
Jerome
--
Jerome BENOIT | calculus+at-rezozer^dot*net
https://qa.debian.org/developer.php?login=calcu...@rezozer.net
AE28 AE15 710D FF1D 87E5 A762 3F92 19A6 7F36 C68B
