Date: Mon, 22 Aug 2016 15:01:44 -0500 From: Eric van Gyzen <vangyzen@FreeBSD.org> To: freebsd-security@FreeBSD.org Subject: Re: svn commit: r304626 - head/lib/libpam/modules/pam_ssh Message-ID: <26e1bd89-46c4-e1c1-4c2a-5ac9a830f0c7@FreeBSD.org> In-Reply-To: <60cfbe14-5110-df59-29f3-2ede0fcf5456@FreeBSD.org> References: <60cfbe14-5110-df59-29f3-2ede0fcf5456@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I had never looked at pam_ssh before. Does it really ignore authorized_keys and allow authentication using any of the default key file names? After a quick read of the code, that certainly seems to be the case. Does anyone else find that alarming? Sure, it's in my ~/.ssh directory and has appropriate permissions, but that doesn't mean I want to use it for authentication to this machine (or any machine sharing this home directory). That's what authorized_keys is for. I might have created it only to authenticate from this machine to another one. I might have even given it an empty passphrase because that other machine is disposable and I don't really care about it. Eric On 08/22/2016 14:27, Ollivier Robert wrote: > Author: roberto > Date: Mon Aug 22 19:27:20 2016 > New Revision: 304626 > URL: https://svnweb.freebsd.org/changeset/base/304626 > > Log: > Add support for Ed25519 keys. > > Reported by: mwlucas > MFH: 2 weeks > > Modified: > head/lib/libpam/modules/pam_ssh/pam_ssh.8 > head/lib/libpam/modules/pam_ssh/pam_ssh.c > > Modified: head/lib/libpam/modules/pam_ssh/pam_ssh.8 > ============================================================================== > --- head/lib/libpam/modules/pam_ssh/pam_ssh.8 Mon Aug 22 19:05:11 2016 (r304625) > +++ head/lib/libpam/modules/pam_ssh/pam_ssh.8 Mon Aug 22 19:27:20 2016 (r304626) > @@ -137,6 +137,8 @@ SSH2 RSA key > SSH2 DSA key > .It Pa $HOME/.ssh/id_ecdsa > SSH2 ECDSA key > +.It Pa $HOME/.ssh/id_ed25519 > +SSH2 Ed25519 key > .El > .Sh SEE ALSO > .Xr ssh-agent 1 , > > Modified: head/lib/libpam/modules/pam_ssh/pam_ssh.c > ============================================================================== > --- head/lib/libpam/modules/pam_ssh/pam_ssh.c Mon Aug 22 19:05:11 2016 (r304625) > +++ head/lib/libpam/modules/pam_ssh/pam_ssh.c Mon Aug 22 19:27:20 2016 (r304626) > @@ -81,6 +81,7 @@ static const char *pam_ssh_keyfiles[] = > ".ssh/id_rsa", /* SSH2 RSA key */ > ".ssh/id_dsa", /* SSH2 DSA key */ > ".ssh/id_ecdsa", /* SSH2 ECDSA key */ > + ".ssh/id_ed25519", /* SSH2 Ed25519 key */ > NULL > }; > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?26e1bd89-46c4-e1c1-4c2a-5ac9a830f0c7>