| 1 |
Not too long ago there was a question here about why pam is |
| 2 |
needed (or not) but I can't find that thread at the moment :-/ |
| 3 |
|
| 4 |
Anyway, I said that I put "auth sufficient pam_ssh.so" in |
| 5 |
my /etc/pam.d/system-auth file so that I can ssh between |
| 6 |
the machines on my home network using my ssh key for login |
| 7 |
authentication *instead* of a password. |
| 8 |
|
| 9 |
Well, Neil said that I don't need pam for that because sshd |
| 10 |
handles ssh logins automatically, whether by key or password. |
| 11 |
|
| 12 |
I deleted that line from system-auth and found that I could |
| 13 |
indeed ssh between machines using my ssh key, just as Neil |
| 14 |
said. |
| 15 |
|
| 16 |
However... |
| 17 |
|
| 18 |
Then I remembered that the *real* reason I added that line |
| 19 |
to system-auth is so that I can login directly (not via ssh) |
| 20 |
to my local machines using my ssh passphrase instead of an |
| 21 |
ordinary password. (This seems inherently more secure to |
| 22 |
me, but I could be wrong.) |
| 23 |
|
| 24 |
After thinking awhile I realized that pam can be used to |
| 25 |
combine muliple forms of authentication to reduce the well |
| 26 |
documented risk of single-factor authentication (like our |
| 27 |
traditional password system). |
| 28 |
|
| 29 |
Example: if I have an ordinary password, plus an ssh key |
| 30 |
stored on a USB stick, plus a biometric device like an |
| 31 |
eye scanner or a fingerprint scanner, I can then use any |
| 32 |
or all of those methods to identify myself to the system |
| 33 |
by configuring pam in the appropriate way. |
| 34 |
|
| 35 |
Any sysadmins out there that can confirm my reasoning? |
Archives