Package: libpam-ssh Version: 1.91.0-9.1 Severity: critical
If pam-ssh tries to decrypt a key which is not protected by a passphrase, it will succede with any arbitrary string, not just the empty string. As such, dissallowing null does not protect the user.
Since it is likely that a user may have left an unprotected key laying around, even if it isn't actually used for anything, that account is quite vulnerable. And since that seems like a reasonable likelyhood, I think using pam-ssh for authentication should be considered extremely risky.
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
