ssh-pam module configuration

thobias.reaper · 07-14-2006, 10:03 AM

I recently discovered the ssh-pam package. It authenticates the user by his ssh key at login and sets up the ssh-agent for the session. I think it is pretty smart, because the user only needs to enter one password for both login and ssh access. I wondered what the safest way is to set this up and if there are things to keep in mind to prevent bad things from happening. I would also like to know how the people here at LQ manage all the ssh/gnupg/pgp/certificates/loop-aes keys that they use on a daily basis.

unSpawn · 07-16-2006, 10:24 AM

I think your sshd needs to be compiled with -lpam support for this. "Safest" includes all the "usual" measures you would take for securing network access ssh: phrases instead of single words, pubkeys instead of passwords, not allowing root access, firewall only allowing access from known accounts (or ranges, and only if possible), PAM (listfile) only allowing access to known accounts, etc etc.