On Wed, Jul 08, 2009 at 02:03:57PM -0700, Roger Bumgarner wrote: > As far as I know, it does keys first then falls back to passwords. I'd > imagine PAM could help, but I'm not knowledgeable enough in regards to > that. I know you're only limited by your imagination when it comes to > PAM authentication. SSH-keys can (and should!) be password-protected > already.
One of the big problems with ssh keys, though, is that there's no way for an admin to force a user's key to be password protected. On occasion, when there are other restrictions in place, passwordless keys are a good thing and can be used safely, but when used to access a user's account, they're always bad. Also, since ssh public key auth isn't handled by PAM, I don't believe there's a way to use PAM to require both keys and passwords. I could be wrong, though. My users would shoot me if I ever tried such a thing. (Plus we've got Kerberos and don't usually mess around with keys or passwords). Not that any of this will help if this alleged sshd vulnerability can be triggered prior to authentication. noah
signature.asc
Description: Digital signature
