Subject: Re: Regarding the use of pam_ssh
To: Jason Thorpe <firstname.lastname@example.org>
From: John Nemeth <email@example.com>
Date: 02/27/2005 11:05:42
On Jul 20, 2:45am, Jason Thorpe wrote:
} On Feb 27, 2005, at 1:56 AM, John Nemeth wrote:
} > I am working on creating a couple of missing files (pppd and
} > racoon). I noticed that during this cleanup you nuked pam_ssh from the
} > auth section of several files, although it is in the new
} > display_manager file. I was just wondering why this was done?
} I nuked it from services where the ssh passphrase could be compromised
} by being sent over an unencrypted channel.
Okay, this is understandable.
} I have similar misgivings about pam_krb5 and certain protocols.
Yes, this should probably be treated the same as pam_ssh.
However, doing so, may cause surprising changes in the way
authentication works for those certain protocols.
} Anyway, pam_ssh for a display manager is perfectly fine, since you're
} (almost certainly) sitting at a console in that case.
I must be the exception since my primary use of display managers
is for managing real live X terminals (NCD).
Based on this, pppd should be fine, since it would primarily be
used for modems that are directly attached to the system (modems
attached to terminal servers would usually use RADIUS). How about
racoon? I don't know if the passwords it sends are sent over an
encrypted channel. Since login would be used primarily by getty runing
on the console or direct attached serial terminals/modems how about
}-- End of excerpt from Jason Thorpe