I just released a new version of pam_ssh which contains many (or even all) improvements from the Debian package.
I've migrated the CVS repository into GIT.
All changes since 1.97 are now in GIT only and the CVS repository will be removed soon.
This is a minor maintenance release to fix bugs:
A rough overview what has changed since 1.92 what was the last real release from SourceForge:
- The module is usable now for session use only if wanted. It
starts an ssh-agent without adding keys to it in that case.
- The option to allow blank passphrases is now 'nullok' while the
old option is still available but deprecated.
- The debug option is now really supported as documented.
- We didn't start the ssh-agent if the close_session module
wasn't called correctly but the ssh-agent was killed (e.g.
system crashes). That should be solved in almost all cases now.
- Improved logging
- SECURITY FIX: pam_ssh used a certain prompt if a user found
to exist to ask for the SSH passphrase explicitely depending on
whether the username was valid or invalid, which made it
easier for remote attackers to enumerate usernames.
(CVE-2009-1273)
This version includes a security enhancement that disallows blank passphrases. An option is included for reverting to the old behavior.
This version is more portable about the way it juggles user IDs when starting the agent. As a result, it works on Linux systems. Also, it tries to run as the user rather than root as much as possible. Other portability changes were made as well, and as a result, pam_ssh now works on Mac OS X systems.
This version uses Automake, Autoconf, and Libtool, and seems to work on GNU/Linux systems in addition to FreeBSD. Many contributed bug fixes have been imported, and the OpenSSH code has been updated to 3.4p1. Also, a manual page has been added.
The main new feature in this release is that only one agent process is started per user per host, regardless of the number of concurrent sessions that user has started.
Other changes include a "keyfiles" option to specify which keys to use for authentication and to add to the agent. Also, the OpenSSH code used by pam_ssh was upgraded to 2.9p2.