1 |
Not too long ago there was a question here about why pam is |
2 |
needed (or not) but I can't find that thread at the moment :-/ |
3 |
|
4 |
Anyway, I said that I put "auth sufficient pam_ssh.so" in |
5 |
my /etc/pam.d/system-auth file so that I can ssh between |
6 |
the machines on my home network using my ssh key for login |
7 |
authentication *instead* of a password. |
8 |
|
9 |
Well, Neil said that I don't need pam for that because sshd |
10 |
handles ssh logins automatically, whether by key or password. |
11 |
|
12 |
I deleted that line from system-auth and found that I could |
13 |
indeed ssh between machines using my ssh key, just as Neil |
14 |
said. |
15 |
|
16 |
However... |
17 |
|
18 |
Then I remembered that the *real* reason I added that line |
19 |
to system-auth is so that I can login directly (not via ssh) |
20 |
to my local machines using my ssh passphrase instead of an |
21 |
ordinary password. (This seems inherently more secure to |
22 |
me, but I could be wrong.) |
23 |
|
24 |
After thinking awhile I realized that pam can be used to |
25 |
combine muliple forms of authentication to reduce the well |
26 |
documented risk of single-factor authentication (like our |
27 |
traditional password system). |
28 |
|
29 |
Example: if I have an ordinary password, plus an ssh key |
30 |
stored on a USB stick, plus a biometric device like an |
31 |
eye scanner or a fingerprint scanner, I can then use any |
32 |
or all of those methods to identify myself to the system |
33 |
by configuring pam in the appropriate way. |
34 |
|
35 |
Any sysadmins out there that can confirm my reasoning? |