Re: Bug#156257: ITP: libpam-ssh -- SSH key authentication and single sign-on via PAM
On Sun, Aug 11, 2002 at 06:59:29AM +0200, Russell Coker wrote: Normally to change a user's password you have to be root or to know the old password. This prevents someone from completely taking over your account if you leave your terminal logged in or get tricked into running a hostile script. This PAM module changes the regular Unix password semantics. With such a PAM module installed anyone who can write to your home directory can change your password. I am not sure I see the problem? (irrelevant side note: do you need to enter your old passphrase before changing it?) Unless of course, you think .ssh/authorized_keys is security risk for exactly the same reasons? Anbody who has write access to .ssh/authorized_keys can do exactly the same thing as if he can change the users password. Plus! Theres still more! Anybody who does change .ssh/authorized_keys can do so in such a way that the real user can still log in, so the real user may not even notice anything is wrong. -- Brian May [EMAIL PROTECTED]
Re: Bug#156257: ITP: libpam-ssh -- SSH key authentication and single sign-on via PAM
On Mon, Aug 12, 2002 at 04:15:15PM +1000, Brian May wrote: (irrelevant side note: do you need to enter your old passphrase before changing it?) -p Requests changing the passphrase of a private key file instead of creating a new private key. The program will prompt for the file containing the private key, for the old passphrase, and twice for the new passphrase. -- Carlos Laviola[EMAIL PROTECTED] Debian GNU/Linux http://www.debian.org
Re: Bug#156257: ITP: libpam-ssh -- SSH key authentication and single sign-on via PAM
On Mon, 12 Aug 2002, Brian May wrote: (irrelevant side note: do you need to enter your old passphrase before changing it?) The Passphrase actually encrypts your key, so you of course need to supply it to change or reencrypt the key with a different passphrase. yours, peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ pgp0OPPJpG3x7.pgp Description: PGP signature
Re: Bug#156257: ITP: libpam-ssh -- SSH key authentication and single sign-on via PAM
On Sun, 11 Aug 2002 06:59:29 +0200, Russell Coker [EMAIL PROTECTED] said: With such a PAM module installed anyone who can write to your home directory can change your password. The module provides only PAM auth and session components, so they can't literally change your password. Yes, if they can write to your ~/.ssh directory they'll be able to authenticate as you for any program which uses the pam_ssh.so auth scheme, but if they can do that they can already log in as you (by putting their key into your ~/.ssh directory) and connecting with SSH. Of course, installing the module won't turn it on for any PAM clients. The admin will choose how they want to use it. -- Roderick Schertler [EMAIL PROTECTED]