Subject: Re: Regarding the use of pam_ssh
To: Jason Thorpe <thorpej@shagadelic.org>
From: Roland Dowdeswell <elric@imrryr.org>
List: tech-security
Date: 02/27/2005 15:15:59
On 1109520604 seconds since the Beginning of the UNIX epoch
Jason Thorpe wrote:
>

>On Feb 27, 2005, at 1:56 AM, John Nemeth wrote:
>
>>      I am working on creating a couple of missing files (pppd and
>> racoon).  I noticed that during this cleanup you nuked pam_ssh from the
>> auth section of several files, although it is in the new
>> display_manager file.  I was just wondering why this was done?
>
>I nuked it from services where the ssh passphrase could be compromised 
>by being sent over an unencrypted channel.
>
>I have similar misgivings about pam_krb5 and certain protocols.
>
>Anyway, pam_ssh for a display manager is perfectly fine, since you're 
>(almost certainly) sitting at a console in that case.

pam_ssh should not be enabled in the default system because:

	1.  it is counter-intuitive,
	2.  people often use weak passphrases or no passphrases
	    under the assumption that file permissions work, and
	3.  probably most importantly, pam_ssh is the kind of
	    authentication that only works on a single-user machine
	    because your password is directly under your control.
	    The system administrator has no effective means to
	    enforce anything resembling password quality.

--
    Roland Dowdeswell                      http://www.Imrryr.ORG/~elric/