Johnny Billquist wrote:
> On Sun, 13 Mar 2005, Manuel Bouyer wrote:
> 
>> On Sun, Mar 13, 2005 at 06:33:18PM +0000, dieter wrote:
>>
>>>
>>> I think either
>>> 1) pam_ssh.so should be commented out in /etc/pam.d/sshd
>>> or
>>> 2) a warning should be added to UPDATING that the behaviour of sshd is
>>> changed.
>>>
>>> Suddenly, identities in ~/.ssh work in 2 directions; not only to login
>>> some place else, but also to authenticate from remote on the local
>>> machine, regardless the contents of authorized_keys.
>>
>>
>> I, too, think this is bad.
> 
> 
> This is not just bad, this is bloody serious. How the f*ck did that one 
> pass by?

Dunno how, but I agree with your assessment.  Two accounts on my home 
machine were wide open for several days until I noticed it and commented 
out that line in the pam config.  I expect some breakage in current, but 
now that several people have pointed out how broken this is, it needs to 
be fixed.  I don't think #2 above is good enough, personally.  This new 
authentication mechanism should not be enabled by default.  IMHO of course.

Cheers,
entropy

-- 
entropy -- it's not just a good idea, it's the second law.