On Sun, Aug 11, 2002 at 06:59:29AM +0200, Russell Coker wrote: > Normally to change a user's password you have to be root or to know the old > password. This prevents someone from completely taking over your account if > you leave your terminal logged in or get tricked into running a hostile > script. This PAM module changes the regular Unix password semantics. > > With such a PAM module installed anyone who can write to your home directory > can change your password.
I am not sure I see the problem? (irrelevant side note: do you need to enter your old passphrase before changing it?) Unless of course, you think .ssh/authorized_keys is security risk for exactly the same reasons? Anbody who has write access to .ssh/authorized_keys can do exactly the same thing as if he can change the users password. Plus! Theres still more! Anybody who does change .ssh/authorized_keys can do so in such a way that the real user can still log in, so the real user may not even notice anything is wrong. -- Brian May <[EMAIL PROTECTED]>
