Geoff Wing wrote:
> maximum entropy <entropy@entropy.homeip.net> output:
> :4.  $ ssh-keygen -t dsa -N "" -f $HOME/.ssh/id_dsa
> 
> I think this is why it didn't work for me.  I wasn't using one of
> (excerpt from src/lib/libpam/modules/pam_ssh/pam_ssh.c:79)
> 	static const char *pam_ssh_keyfiles[] = {
>         	".ssh/identity",        /* SSH1 RSA key */
> 		".ssh/id_rsa",          /* SSH2 RSA key */
> 		".ssh/id_dsa",          /* SSH2 DSA key */
> 		NULL
> 	};
> 
> I'm guessing that these are allowed in addition to authorized_keys.
> Although I haven't confirmed it, I can't think of any other reason
> why they are in the pam_ssh.c file.  In fact, pam_ssh(8) mentions
> them but doesn't mention why.

I think you may be confused about pam_ssh.  It really has nothing to do 
with authorized_keys.  It allows you to log in to the system if you know 
the passphrase for any of the private keys listed above, stored in the 
target account.  That's precisely why it's a problem:  the passphrase 
may not be secure, and previously that would only put the key at risk. 
Now (in the default configuration) it puts the key *and* login access at 
risk.

-- 
entropy -- it's not just a good idea, it's the second law.