From owner-freebsd-security@freebsd.org  Mon Aug 22 20:01:50 2016
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id F1F89BC242F
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Mon, 22 Aug 2016 20:01:50 +0000 (UTC)
 (envelope-from vangyzen@FreeBSD.org)
Received: from smtp.vangyzen.net (hotblack.vangyzen.net [199.48.133.146])
 by mx1.freebsd.org (Postfix) with ESMTP id DD45A1A18
 for <freebsd-security@FreeBSD.org>; Mon, 22 Aug 2016 20:01:50 +0000 (UTC)
 (envelope-from vangyzen@FreeBSD.org)
Received: from ford.home.vangyzen.net (unknown [76.164.15.242])
 by smtp.vangyzen.net (Postfix) with ESMTPSA id C1B7A56488
 for <freebsd-security@FreeBSD.org>; Mon, 22 Aug 2016 15:01:44 -0500 (CDT)
Subject: Re: svn commit: r304626 - head/lib/libpam/modules/pam_ssh
References: <60cfbe14-5110-df59-29f3-2ede0fcf5456@FreeBSD.org>
To: freebsd-security@FreeBSD.org
From: Eric van Gyzen <vangyzen@FreeBSD.org>
X-Forwarded-Message-Id: <60cfbe14-5110-df59-29f3-2ede0fcf5456@FreeBSD.org>
Message-ID: <26e1bd89-46c4-e1c1-4c2a-5ac9a830f0c7@FreeBSD.org>
Date: Mon, 22 Aug 2016 15:01:44 -0500
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101
 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <60cfbe14-5110-df59-29f3-2ede0fcf5456@FreeBSD.org>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Aug 2016 20:01:51 -0000

I had never looked at pam_ssh before.  Does it really ignore authorized_keys and
allow authentication using any of the default key file names?  After a quick
read of the code, that certainly seems to be the case.  Does anyone else find
that alarming?  Sure, it's in my ~/.ssh directory and has appropriate
permissions, but that doesn't mean I want to use it for authentication to this
machine (or any machine sharing this home directory).  That's what
authorized_keys is for.  I might have created it only to authenticate from this
machine to another one.  I might have even given it an empty passphrase because
that other machine is disposable and I don't really care about it.

Eric

On 08/22/2016 14:27, Ollivier Robert wrote:
> Author: roberto
> Date: Mon Aug 22 19:27:20 2016
> New Revision: 304626
> URL: https://svnweb.freebsd.org/changeset/base/304626
> 
> Log:
>   Add support for Ed25519 keys.
>   
>   Reported by:	mwlucas
>   MFH:		2 weeks
> 
> Modified:
>   head/lib/libpam/modules/pam_ssh/pam_ssh.8
>   head/lib/libpam/modules/pam_ssh/pam_ssh.c
> 
> Modified: head/lib/libpam/modules/pam_ssh/pam_ssh.8
> ==============================================================================
> --- head/lib/libpam/modules/pam_ssh/pam_ssh.8	Mon Aug 22 19:05:11 2016	(r304625)
> +++ head/lib/libpam/modules/pam_ssh/pam_ssh.8	Mon Aug 22 19:27:20 2016	(r304626)
> @@ -137,6 +137,8 @@ SSH2 RSA key
>  SSH2 DSA key
>  .It Pa $HOME/.ssh/id_ecdsa
>  SSH2 ECDSA key
> +.It Pa $HOME/.ssh/id_ed25519
> +SSH2 Ed25519 key
>  .El
>  .Sh SEE ALSO
>  .Xr ssh-agent 1 ,
> 
> Modified: head/lib/libpam/modules/pam_ssh/pam_ssh.c
> ==============================================================================
> --- head/lib/libpam/modules/pam_ssh/pam_ssh.c	Mon Aug 22 19:05:11 2016	(r304625)
> +++ head/lib/libpam/modules/pam_ssh/pam_ssh.c	Mon Aug 22 19:27:20 2016	(r304626)
> @@ -81,6 +81,7 @@ static const char *pam_ssh_keyfiles[] = 
>  	".ssh/id_rsa",		/* SSH2 RSA key */
>  	".ssh/id_dsa",		/* SSH2 DSA key */
>  	".ssh/id_ecdsa",	/* SSH2 ECDSA key */
> +	".ssh/id_ed25519",	/* SSH2 Ed25519 key */
>  	NULL
>  };
>  
>