I had never looked at pam_ssh before. Does it really ignore authorized_keys and allow authentication using any of the default key file names? After a quick read of the code, that certainly seems to be the case. Does anyone else find that alarming? Sure, it's in my ~/.ssh directory and has appropriate permissions, but that doesn't mean I want to use it for authentication to this machine (or any machine sharing this home directory). That's what authorized_keys is for. I might have created it only to authenticate from this machine to another one. I might have even given it an empty passphrase because that other machine is disposable and I don't really care about it.
Eric On 08/22/2016 14:27, Ollivier Robert wrote: > Author: roberto > Date: Mon Aug 22 19:27:20 2016 > New Revision: 304626 > URL: https://svnweb.freebsd.org/changeset/base/304626 > > Log: > Add support for Ed25519 keys. > > Reported by: mwlucas > MFH: 2 weeks > > Modified: > head/lib/libpam/modules/pam_ssh/pam_ssh.8 > head/lib/libpam/modules/pam_ssh/pam_ssh.c > > Modified: head/lib/libpam/modules/pam_ssh/pam_ssh.8 > ============================================================================== > --- head/lib/libpam/modules/pam_ssh/pam_ssh.8 Mon Aug 22 19:05:11 2016 > (r304625) > +++ head/lib/libpam/modules/pam_ssh/pam_ssh.8 Mon Aug 22 19:27:20 2016 > (r304626) > @@ -137,6 +137,8 @@ SSH2 RSA key > SSH2 DSA key > .It Pa $HOME/.ssh/id_ecdsa > SSH2 ECDSA key > +.It Pa $HOME/.ssh/id_ed25519 > +SSH2 Ed25519 key > .El > .Sh SEE ALSO > .Xr ssh-agent 1 , > > Modified: head/lib/libpam/modules/pam_ssh/pam_ssh.c > ============================================================================== > --- head/lib/libpam/modules/pam_ssh/pam_ssh.c Mon Aug 22 19:05:11 2016 > (r304625) > +++ head/lib/libpam/modules/pam_ssh/pam_ssh.c Mon Aug 22 19:27:20 2016 > (r304626) > @@ -81,6 +81,7 @@ static const char *pam_ssh_keyfiles[] = > ".ssh/id_rsa", /* SSH2 RSA key */ > ".ssh/id_dsa", /* SSH2 DSA key */ > ".ssh/id_ecdsa", /* SSH2 ECDSA key */ > + ".ssh/id_ed25519", /* SSH2 Ed25519 key */ > NULL > }; > > _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
