CC'ing to tech-security because I think it warrants discussion.

On Feb 27, 2005, at 1:56 AM, John Nemeth wrote:

>      I am working on creating a couple of missing files (pppd and
> racoon).  I noticed that during this cleanup you nuked pam_ssh from the
> auth section of several files, although it is in the new
> display_manager file.  I was just wondering why this was done?

I nuked it from services where the ssh passphrase could be compromised 
by being sent over an unencrypted channel.

I have similar misgivings about pam_krb5 and certain protocols.

Anyway, pam_ssh for a display manager is perfectly fine, since you're 
(almost certainly) sitting at a console in that case.

-- thorpej