I have recently adopted the libpam-ssh package and made a lot changes in the way the PAM module works. In summary, the module did not work as advertised, so I rewrote parts of it while trying to make as little disruption as possible, but one cannot make an omelet...
Because of the security implications of changing a PAM module, I would welcome some peer reviewing of the changes I have made. The new package has been uploaded to experimental, and the NEWS.Debian is as follows. Also, I would like comments in general about the whether there are better ways to solve the problems. * The PAM modules are now named 'ssh_auth' and 'ssh_session' which seems to be more in line with other PAM modules' names. * The 'keyfiles' option is now obsolete. Instead the authentication module will automatically locate all files matching the pattern 'id_*' (the idea for this came from a patch from Javier Serrano Polo). * The 'try_first_pass' now works as advertised, namely by asking for an SSH passphrase if the password from the previous PAM module fails to unlock any of the user's SSH keys. * The 'debug' option now works as advertised, and the output goes into /var/log/auth.log . * No SSH passphrase will be asked if the user has no SSH keys. Thanks in advance, /JP -- Jens Peter Secher. _DD6A 05B0 174E BFB2 D4D9 B52E 0EE5 978A FE63 E8A1 jpsecher gmail com_. A. Because it breaks the logical sequence of discussion. Q. Why is top posting bad?
pgpw63HSg0q5y.pgp
Description: PGP signature