On Sun, 27 Feb 2005, Jason Thorpe wrote:
> I nuked it from services where the ssh passphrase could be compromised 
> by being sent over an unencrypted channel.
> 
> I have similar misgivings about pam_krb5 and certain protocols.
> 
> Anyway, pam_ssh for a display manager is perfectly fine, since you're 
> (almost certainly) sitting at a console in that case.

I think that pam_ssh should not be enabled by default for any
services, for too reasons:

1. People sometimes use weak ssh passphrases, under the assumption that
   an opponent with the passphrase will not be able to do anything
   without also having access to a copy of the encrypted private key.
   pam_ssh changes this so that mere possession of the passphrase
   allows access to the account, which in turn allows access to the
   encrypted private key, which allows the opponent to make outgoing
   SSH connections as the user.  In other words, pam_ssh changes
   the security model for SSH passphrases from "need passphrase and
   encrypted private key to do anything" to "need passphrase to do
   anything".

2. As Jason said, the passphrase may be sent in cleartext over
   easily-snoopable channels.

Some people might have a use for pam_ssh, and they should be allowed to
use it, but the security implications should be better documented, and
it should not be enabled by default.

--apb (Alan Barrett)