Hi, On 13/01/15 05:00, aldiyen wrote:
> Anyone know why the NixOS PAM config that gets generated when the sshAgentAuth > setting is set to true includes files owned by the user (within that user's > home > directory)? > > It seems like this could be rather insecure, given that an attacker who > obtained > the ability to write files using the current user's permissions could simply > write new SSH keys into these authorized keys files and obtain access to > whatever services are configured to allow SSH agent-based authentication > (including, perhaps, su and/or sudo) > > Would it make more sense to change this to reference only the > /etc/pam/authorized_keys.d/%u path? I'm inclined to agree, but it's worth noting that the use of user-owned authorized key files is sanctioned by the pam_ssh_agent_auth manpage: http://pamsshagentauth.sourceforge.net/ -- Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/ _______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
