Not too long ago there was a question here about why pam is needed (or not) but I can't find that thread at the moment :-/
Anyway, I said that I put "auth sufficient pam_ssh.so" in my /etc/pam.d/system-auth file so that I can ssh between the machines on my home network using my ssh key for login authentication *instead* of a password. Well, Neil said that I don't need pam for that because sshd handles ssh logins automatically, whether by key or password. I deleted that line from system-auth and found that I could indeed ssh between machines using my ssh key, just as Neil said. However... Then I remembered that the *real* reason I added that line to system-auth is so that I can login directly (not via ssh) to my local machines using my ssh passphrase instead of an ordinary password. (This seems inherently more secure to me, but I could be wrong.) After thinking awhile I realized that pam can be used to combine muliple forms of authentication to reduce the well documented risk of single-factor authentication (like our traditional password system). Example: if I have an ordinary password, plus an ssh key stored on a USB stick, plus a biometric device like an eye scanner or a fingerprint scanner, I can then use any or all of those methods to identify myself to the system by configuring pam in the appropriate way. Any sysadmins out there that can confirm my reasoning?
