FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 12-03-2008, 09:19 PM
Jens Peter Secher
 
Default For those who care about pam-ssh: RFC

I have recently adopted the libpam-ssh package and made a lot changes in
the way the PAM module works. In summary, the module did not work as
advertised, so I rewrote parts of it while trying to make as little
disruption as possible, but one cannot make an omelet...

Because of the security implications of changing a PAM module, I would
welcome some peer reviewing of the changes I have made. The new package
has been uploaded to experimental, and the NEWS.Debian is as follows.
Also, I would like comments in general about the whether there are
better ways to solve the problems.

* The PAM modules are now named 'ssh_auth' and 'ssh_session' which seems
to be more in line with other PAM modules' names.

* The 'keyfiles' option is now obsolete. Instead the authentication
module will automatically locate all files matching the pattern 'id_*'
(the idea for this came from a patch from Javier Serrano Polo).

* The 'try_first_pass' now works as advertised, namely by asking for an
SSH passphrase if the password from the previous PAM module fails to
unlock any of the user's SSH keys.

* The 'debug' option now works as advertised, and the output goes into
/var/log/auth.log .

* No SSH passphrase will be asked if the user has no SSH keys.

Thanks in advance,
/JP
--
Jens Peter Secher.
_DD6A 05B0 174E BFB2 D4D9 B52E 0EE5 978A FE63 E8A1 jpsecher gmail com_.
A. Because it breaks the logical sequence of discussion.
Q. Why is top posting bad?
 
Old 12-03-2008, 11:33 PM
"Luca Niccoli"
 
Default For those who care about pam-ssh: RFC

2008/12/3 Jens Peter Secher <jpsecher.noreply@gmail.com>:

> Because of the security implications of changing a PAM module, I would
> welcome some peer reviewing of the changes I have made. The new package
> has been uploaded to experimental, and the NEWS.Debian is as follows.
> Also, I would like comments in general about the whether there are
> better ways to solve the problems.

As a user, I see a regression: I have @include (pam)-ssh-auth before
@include common-auth in my confguration, and I use two different
passwords for my local account and my ssh key; this way if I know
I'll be networking I take the bother to type the long-and-very-secure
password to unlock my key and get acces to the computer, otherwise I
just hit enter and I'm asked for the simpler local password (I don't
think there's really a point in a strong password if someone has
physical access to the computer).
This doesn't work anymore out-of-the-box. Of course switching back to
the old behaviour is not a big deal, so I'm not complaining, just
wondering if this change makes the package better fitted to what the
user is expecting from it.
Maybe I'm the odd one, I don't know; let me just point that with the
new way the unlock of the key is not what grants you the access to the
machine (which is what I would think ssh-auth do), IFUC.
I also noted is that pam-ssh-auth and pam-ssh-session stayed in
/etc/pam.d after the upgrade, I don't know if this is intended.
Cheers
Luca


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 12-04-2008, 09:03 AM
Steve Langasek
 
Default For those who care about pam-ssh: RFC

On Wed, Dec 03, 2008 at 11:19:52PM +0100, Jens Peter Secher wrote:

> * The 'keyfiles' option is now obsolete. Instead the authentication
> module will automatically locate all files matching the pattern 'id_*'
> (the idea for this came from a patch from Javier Serrano Polo).

That doesn't sound like a good idea to me. What if a user has extra ssh
keys lying around that multiple people have the passphrase to, which prior
to this change would have been perfectly safe?

Also, why is the pattern id_*? ssh also recognizes 'identity' by default.
Shouldn't this really use the same pattern as ssh itself, i.e.,
(identity|id_dsa|id_rsa)?

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 12-04-2008, 11:25 AM
Vincent Zweije
 
Default For those who care about pam-ssh: RFC

On Thu, Dec 04, 2008 at 02:03:52AM -0800, Steve Langasek wrote:

|| On Wed, Dec 03, 2008 at 11:19:52PM +0100, Jens Peter Secher wrote:
||
|| > * The 'keyfiles' option is now obsolete. Instead the authentication
|| > module will automatically locate all files matching the pattern 'id_*'
|| > (the idea for this came from a patch from Javier Serrano Polo).
||
|| That doesn't sound like a good idea to me. What if a user has extra ssh
|| keys lying around that multiple people have the passphrase to, which prior
|| to this change would have been perfectly safe?
||
|| Also, why is the pattern id_*? ssh also recognizes 'identity' by default.
|| Shouldn't this really use the same pattern as ssh itself, i.e.,
|| (identity|id_dsa|id_rsa)?

In addition I, and probably some others, have the habit of disabling
files by adding a .OFF extension to it.

This practice is based on the (in my view) reasonable assumption that
programs should not be scanning directories for files to use unless
those directories are specially intended for that purpose.

It probably would be fine if there were a (documented) ~/.ssh/id.d/
directory containing keys to be used (and nothing else).

Ciao. Vincent.
--
Vincent Zweije <zweije@xs4all.nl> | "If you're flamed in a group you
<http://www.xs4all.nl/~zweije/> | don't read, does anybody get burnt?"
[Xhost should be taken out and shot] | -- Paul Tomblin on a.s.r.
 
Old 12-04-2008, 01:09 PM
"Jens Peter Secher"
 
Default For those who care about pam-ssh: RFC

2008/12/4 Vincent Zweije <vzweije@zweije.nl.eu.org>:
> On Thu, Dec 04, 2008 at 02:03:52AM -0800, Steve Langasek wrote:
>
> || On Wed, Dec 03, 2008 at 11:19:52PM +0100, Jens Peter Secher wrote:
> ||
> || > * The 'keyfiles' option is now obsolete. Instead the authentication
> || > module will automatically locate all files matching the pattern 'id_*'
> || > (the idea for this came from a patch from Javier Serrano Polo).
> ||
> || That doesn't sound like a good idea to me. What if a user has extra ssh
> || keys lying around that multiple people have the passphrase to, which prior
> || to this change would have been perfectly safe?
> ||
> || Also, why is the pattern id_*? ssh also recognizes 'identity' by default.
> || Shouldn't this really use the same pattern as ssh itself, i.e.,
> || (identity|id_dsa|id_rsa)?
>
> In addition I, and probably some others, have the habit of disabling
> files by adding a .OFF extension to it.
>
> This practice is based on the (in my view) reasonable assumption that
> programs should not be scanning directories for files to use unless
> those directories are specially intended for that purpose.
>
> It probably would be fine if there were a (documented) ~/.ssh/id.d/
> directory containing keys to be used (and nothing else).
>

That is a very good idea. But the id.d directory should probably
contain soft links to the actual keys to not interfere with the
standard location. Are the other packages which does something
similar?

If there are no objections, I will implement such a behaviour.

Cheers,
--
Jens Peter Secher.
_DD6A 05B0 174E BFB2 D4D9 B52E 0EE5 978A FE63 E8A1 jpsecher gmail com_.
A. Because it breaks the logical sequence of discussion.
Q. Why is top posting bad?


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 12-04-2008, 01:55 PM
"Jens Peter Secher"
 
Default For those who care about pam-ssh: RFC

2008/12/4 Luca Niccoli <lultimouomo@gmail.com>:
> 2008/12/3 Jens Peter Secher <jpsecher.noreply@gmail.com>:
>
>> Because of the security implications of changing a PAM module, I would
>> welcome some peer reviewing of the changes I have made. The new package
>> has been uploaded to experimental, and the NEWS.Debian is as follows.
>> Also, I would like comments in general about the whether there are
>> better ways to solve the problems.
>
> As a user, I see a regression: I have @include (pam)-ssh-auth before
> @include common-auth in my confguration, and I use two different
> passwords for my local account and my ssh key; this way if I know
> I'll be networking I take the bother to type the long-and-very-secure
> password to unlock my key and get acces to the computer, otherwise I
> just hit enter and I'm asked for the simpler local password

To do that you will need to change /etc/pam.d/ssh-auth to

auth sufficient pam_ssh.so

such that the SSH passphrase is always asked, and, if it unlocks any
of the SSH keys, it will be sufficient to login.

> (I don't
> think there's really a point in a strong password if someone has
> physical access to the computer).

Hmm, if noone else has access to the computer (including remote
access) then the passphrase on the SSH keys do not need to be more
secure than the login password. On the other hand, if there is remote
access to the computer, then a weak password will enable an evil
hacker to get into you account, copy your SSH key and brute-force
attack the key elsewhere. So I do not really see your point.


Cheers,
--
Jens Peter Secher.
_DD6A 05B0 174E BFB2 D4D9 B52E 0EE5 978A FE63 E8A1 jpsecher gmail com_.
A. Because it breaks the logical sequence of discussion.
Q. Why is top posting bad?


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 12-04-2008, 05:32 PM
"Jens Peter Secher"
 
Default For those who care about pam-ssh: RFC

2008/12/4 Luca Niccoli <lultimouomo@gmail.com>:
> 2008/12/4 Jens Peter Secher <jps@debian.org>:
>
>> To do that you will need to change /etc/pam.d/ssh-auth to
>>
>> auth sufficient pam_ssh.so
>
> I know, that's why I'm not complaining =)
> May writing it in the README.Debian could be a good idea.
>

OK, will do.

Cheers,
--
Jens Peter Secher.
_DD6A 05B0 174E BFB2 D4D9 B52E 0EE5 978A FE63 E8A1 jpsecher gmail com_.
A. Because it breaks the logical sequence of discussion.
Q. Why is top posting bad?


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 12-05-2008, 07:26 AM
Peter Palfrader
 
Default For those who care about pam-ssh: RFC

On Thu, 04 Dec 2008, Jens Peter Secher wrote:

> 2008/12/4 Vincent Zweije <vzweije@zweije.nl.eu.org>:
> > It probably would be fine if there were a (documented) ~/.ssh/id.d/
> > directory containing keys to be used (and nothing else).
> >
>
> That is a very good idea. But the id.d directory should probably
> contain soft links to the actual keys to not interfere with the
> standard location. Are the other packages which does something
> similar?

It should probably also be called something that describes its purpose
accurately. like login-keys.d or pam-key.d or something like that.
id.d is just too generic.
--
| .'`. ** Debian GNU/Linux **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `- http://www.debian.org/


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 12-05-2008, 12:54 PM
"Jens Peter Secher"
 
Default For those who care about pam-ssh: RFC

2008/12/5 Peter Palfrader <weasel@debian.org>:
>
> It should probably also be called something that describes its purpose
> accurately. like login-keys.d or pam-key.d or something like that.
> id.d is just too generic.

OK, I will use ~/.ssh/login-keys.d, unless there are objections.

Cheers,
--
Jens Peter Secher.
_DD6A 05B0 174E BFB2 D4D9 B52E 0EE5 978A FE63 E8A1 jpsecher gmail com_.
A. Because it breaks the logical sequence of discussion.
Q. Why is top posting bad?


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 12-05-2008, 08:25 PM
Ben Finney
 
Default For those who care about pam-ssh: RFC

"Jens Peter Secher" <jps@debian.org> writes:

> OK, I will use ~/.ssh/login-keys.d, unless there are objections.

I think you should consult on ‘pam-list’, the discussion list for PAM,
before making that change.

<URL:https://listman.redhat.com/mailman/listinfo/pam-list>

--
“True greatness is measured by how much freedom you give to |
` others, not by how much you can coerce others to do what you |
_o__) want.” —Larry Wall |
Ben Finney


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 12:13 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org