Deprecating pam_stack.so

Wed Oct 12 10:17:17 UTC 2005

> This is a problem as the passphrases for ssh keys can be different from
> the user's system password. So the pam_ssh is definitely not a
> replacement for ssh-agent.

This is not an issue for pam_ssh, as pam_ssh may ask for the passphrase.
There is a difference, though. Indeed with pam_ssh the passphrase is 
always asked for, with ssh-agent the passphrase is only asked for
if the user launch ssh-add.

With the following /etc/pam.d/gdm I login using a password checked by
service=system-auth, then give the passphrase to pam_ssh in the auth phase,
and the login succeed even if I give a bad passphrase. If the passphrase was
right, the agent is launched in the session phase:

 #%PAM-1.0
 auth       required     pam_env.so
 auth       required     pam_stack.so service=system-auth
 auth       required     pam_nologin.so
 auth       optional     pam_ssh.so
 account    required     pam_stack.so service=system-auth
 password   required     pam_stack.so service=system-auth
 session    required     pam_stack.so service=system-auth
 session    optional     pam_console.so
 session    optional     pam_ssh.so

Of course there are other usages of pam_ssh, for example it may be required
in the auth phase.

--
Pat