On Feb 27, 2005, at 12:15 PM, Roland Dowdeswell wrote:

> pam_ssh should not be enabled in the default system because:

Well... yah, those are good arguments.  I have also added the following 
to the pam_krb5 and pam_ssh manpages:

SECURITY CONSIDERATIONS
      The pam_krb5 module implements what is fundamentally a password 
authenti-
      cation scheme.  It does not use a Kerberos 5 exchange between 
client and
      server, but rather authenticates the password provided by the 
client
      against the Kerberos KDC.  Therefore, care should be taken to only 
use
      this module over a secure session (secure TTY, encrypted session, 
etc.),
      otherwise the user's Kerberos 5 password could be compromised.

SECURITY CONSIDERATIONS
      The pam_ssh module implements what is fundamentally a password 
authenti-
      cation scheme.  Care should be taken to only use this module over a
      secure session (secure TTY, encrypted session, etc.), otherwise the
      user's SSH passphrase could be compromised.

I will add this additional text to the pam_ssh manpage:

      Additional consideration should be given to the use of pam_ssh.  
Users
      often assume that file permissions are sufficient to protect their 
SSH
      keys, and thus use weak or no passphrases.  Since the system 
administra-
      tor has no effective means of enforcing SSH passphrase quality, 
this has
      the potential to expose the system to security risks.

I will also disable pam_ssh in the disaply_manager PAM meta-config.

-- thorpej