Deprecating pam_stack.so
Patrice Dumas
pertusus at free.fr
Wed Oct 12 10:17:17 UTC 2005
> This is a problem as the passphrases for ssh keys can be different from
> the user's system password. So the pam_ssh is definitely not a
> replacement for ssh-agent.
This is not an issue for pam_ssh, as pam_ssh may ask for the passphrase.
There is a difference, though. Indeed with pam_ssh the passphrase is
always asked for, with ssh-agent the passphrase is only asked for
if the user launch ssh-add.
With the following /etc/pam.d/gdm I login using a password checked by
service=system-auth, then give the passphrase to pam_ssh in the auth phase,
and the login succeed even if I give a bad passphrase. If the passphrase was
right, the agent is launched in the session phase:
#%PAM-1.0
auth required pam_env.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
auth optional pam_ssh.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
session optional pam_ssh.so
Of course there are other usages of pam_ssh, for example it may be required
in the auth phase.
--
Pat
More information about the fedora-devel-list
mailing list