Package: libpam-ssh Followup-For: Bug #519314 I very much like the idea that pam-ssh has added a mechanism to allow users to configure additional SSH keys to unlock on login without requiring system-wide configuration via the keyfiles option. The login-keys.d directory seems like a sensible way to do this.
However, this configurability should not come at the expense of working out-of-the-box without per-user configuration. Unlike previous versions, this new version of libpam-ssh no longer adds my keys to the agent by default. This represents a regression from previous versions. I read the debian-devel thread in question, and the only complaint I saw about using id_* by default related to taking advantage of a key with a weak or well-known passphrase to log in as the user. This only seems like a problem when configuring pam-ssh as a login mechanism, rather than only a mechanism to run an ssh-agent and unlock keys as many people do. Thus, I have a proposal which I think will address these concerns while still working out-of-the-box: - Always attempt to unlock all keys matching id_* and add them to the ssh-agent. Alternatively, at least unlock keys matching id_rsa, id_dsa, and identity, as SSH does and the previous version of pam-ssh did. Since you can only unlock keys this way if you know their passphrase, this shouldn't represent a security problem. - For authentication purposes, only treat keys linked from login-keys.d as sufficient for authentication. This ensures that people don't inadvertently allow authentication via an unexpected key. Thus, if I have no login-keys.d directory, pam-ssh will not allow me to use my SSH keys to log in, but it will still unlock any keys that my normal password unlocks and add them to ssh-agent. Now, this still potentially represents a regression for people who use pam-ssh for authentication. However, it seems more reasonable to allow a regression there to prevent a potential security problem. I don't use pam-ssh for authentication, so I can't speak for the people who do; the behavior I described above will at least fix the regression for people who use pam-ssh just to unlock their keys. - Josh Triplett -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
