On Sun, 2005-02-27 at 15:35 -0500, Mason Loring Bliss wrote: > This seems like a bad sort of default behaviour. I would recommend that > a note be added somewhere prominent that indicates this to folks who > are familiar with ssh but not with the impact of that PAM statement...
That would be nice since I've seen quite a few compromised boxes running unstable whose owners turned off PasswordAuthentication and either didn't notice that it made no difference or didn't bother to check. I have to admit being deceived that way once too. Luckily not for long - I hadn't copied my public key on that machine yet and I was asked for a password which of course was accepted to my surprise. -- Best regards, Martin Orda http://www.securityshells.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
