[src/trunk]: src/lib/libpam/modules/pam_ssh Add a SECURITY CONSIDRATIONS sect...

[thorpej <thorpej%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/90ec34cb7d32
branches:  trunk
changeset: 574405:90ec34cb7d32
user:      thorpej <thorpej%NetBSD.org@localhost>
date:      Sun Feb 27 21:32:46 2005 +0000

description:
Add a SECURITY CONSIDRATIONS section.

diffstat:

 lib/libpam/modules/pam_ssh/pam_ssh.8 |  19 ++++++++++++++++++-
 1 files changed, 18 insertions(+), 1 deletions(-)

diffs (30 lines):

diff -r a7bcc08396df -r 90ec34cb7d32 lib/libpam/modules/pam_ssh/pam_ssh.8
--- a/lib/libpam/modules/pam_ssh/pam_ssh.8      Sun Feb 27 21:01:59 2005 +0000
+++ b/lib/libpam/modules/pam_ssh/pam_ssh.8      Sun Feb 27 21:32:46 2005 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: pam_ssh.8,v 1.3 2005/02/26 15:14:44 thorpej Exp $
+.\" $NetBSD: pam_ssh.8,v 1.4 2005/02/27 21:32:46 thorpej Exp $
 .\" Copyright (c) 2001 Mark R V Murray
 .\" All rights reserved.
 .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc.
@@ -150,3 +150,20 @@
 as part of the DARPA CHATS research program.
 This manual page was written by
 .An "Mark R V Murray" Aq markm%FreeBSD.org@localhost .
+.Sh SECURITY CONSIDERATIONS
+The
+.Nm
+module implements what is fundamentally a password authentication scheme.
+Care should be taken to only use this module over a secure session
+.Po
+secure TTY, encrypted session, etc.
+.Pc ,
+otherwise the user's SSH passphrase could be compromised.
+.Pp
+Additional consideration should be given to the use of
+.Nm pam_ssh .
+Users often assume that file permissions are sufficient to protect their
+SSH keys, and thus use weak or no passphrases.
+Since the system administrator has no effective means of enforcing
+SSH passphrase quality, this has the potential to expose the system to
+security risks.