Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 66092 - pam_ssh prompt misleading
Summary: pam_ssh prompt misleading
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Daniel Ahlberg (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-10-02 00:14 UTC by Michael Wardle
Modified: 2005-07-05 12:40 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Wardle 2004-10-02 00:14:40 UTC
For some reason, the Gentoo package maintainer has changed the default pam_ssh module's prompt from "SSH passphrase: " to "Password: ".

While I can see that someone might find this useful on a suboptimally configured PAM authentication stack, the prompt is quite misleading, and should not be made this way by default.

This is particularly problematic because it cannot be reverted to its usual behavior without rebuilding.

It also hinders my intended use of pam_ssh, which is to allow the user to enter his/her SSH passphrase and automatically start ssh-agent, but:
1) only if they have a valid Unix account
2) only if they want to (else they type a blank passphrase to skip it)
3) even if their SSH passphrase is different from their Unix password

To achieve this, the configuration would look like this:
auth required pam_unix.so
auth optional pam_ssh.so

(With either no options to pam_ssh.so or try_first_pass)

This causes the user to see two "Password: " prompts, and it is impossible for the user to tell whether they incorrectly entered the first password incorrectly and so is being asked for a password from a different SSH module or whether they entered the first password correctly and is being asked for an optional extra step.

The whole point of the prompt is for the user to be able to tell which of his/her passwords or passphrases is required and this Gentoo-specific customization breaks this.

I would also note that in no circumstance is the user actually supplying a password to the SSH module: it is only used to authenticate using an SSH private key, which is always encrypted by a "passphrase", never a "password".


Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Comment 1 Daniel Webert 2005-05-21 08:33:14 UTC
ping - someone is working on this?
Comment 2 Martin Schlemmer (RETIRED) gentoo-dev 2005-07-05 12:40:47 UTC
Its been fixed in pam_ssh-1.91.