On 1110832581 seconds since the Beginning of the UNIX epoch
Christos Zoulas wrote:
>

>Weak == "empty passphrase". Isn't that right? The issue here is with
>the pam module, loading the weak key and trying to authenticate with
>an empty passphrase. Or am I understanding this incorrectly?

The main problem with pam_ssh.so is that the system administrator
and/or associated programs have no facility for controlling the
strength of the passwords used.  I think that the question to ask
oneself is ``why are ordinary passwords not stored in the user's
home directory owned by them?''  The answer to this question explains
why pam_ssh.so is a bad idea.

You lose:

	1.  administrative control over password changes,
	2.  the ability to require that a user at a terminal
	    enter the old password to change the password, and
	3.  password quality checking.

Using pam_ssh.so is quite specialised and so should be disabled by
default.  I would even go so far as to delete the line rather than
comment it out since we should not encourage people to use it at
all.

--
    Roland Dowdeswell                      http://www.Imrryr.ORG/~elric/