pam_ssh / News: Recent posts

release 2.0

I just released a new version of pam_ssh which contains many (or even all) improvements from the Debian package.

  • added support for ECDSA keys
  • ssh-agent is now spawned in a different improved way
  • ssh-agent is not started anymore for users without keys
  • support try_first_password PAM option
  • still ask for passphrase even if user does not exist
  • expect keys used for login in ~/.ssh/login-keys.d directory
    (see README; this behaviour will cause old setups to fail
    since the default keys are not used anymore for auth)
  • "keyfiles" option has been removed and all found keys
    which can be opened using the provided passphrase will be
    added to the agent
  • alternative keys not used for login purposes and not named
    like the default keys will be decrypted and saved for the
    agent when placed in ~/.ssh/session-keys.d directory
  • when there is no controlling tty now use the PID to
    create the session file
  • return PAM_SESSION_ERR from within the session part
    instead of PAM_AUTH_ERR
  • honour TMPDIR when starting ssh-agent
  • start ssh-agent with GID of the group given at
    compile time to the new configure option
    --with-ssh-agent-group
Posted by Wolfgang Rosenauer 2013-11-18

source moved to git

I've migrated the CVS repository into GIT.
All changes since 1.97 are now in GIT only and the CVS repository will be removed soon.

Posted by Wolfgang Rosenauer 2013-04-29

pam_ssh 1.98 has been released

This is a minor maintenance release to fix bugs:

  • Under some conditions, there is a double-free bug
    in pam_ssh. The data of the "ssh_agent_env_agent"
    pam_handle_t's item may have been free'd without being
    nullified, which trigger a bug on the cleanup phase.
    (ticket #13 double-free bug with pam_ssh-1.97)
  • Before executing ssh-agent, pam_ssh restores root
    privileges with openpam_restore_cred, then uses only setuid
    to adjust privileges. Thus ssh-agent runs with gid 0.
    (ticket #12 pam_ssh doesn't set gid/groups before executing ssh-agent)
  • Clear signal mask before executing ssh-agent as
    pam_ssh code can be called from kdm with blocked TERM signal
    which would be inherited by ssh-agent
  • fixed crash caused by EOF password
    (ticket 14 pam_ssh segfaults on abort with empty password)
Posted by Wolfgang Rosenauer 2013-04-29

pam_ssh 1.97 has been released

A rough overview what has changed since 1.92 what was the last real release from SourceForge:

- The module is usable now for session use only if wanted. It
starts an ssh-agent without adding keys to it in that case.
- The option to allow blank passphrases is now 'nullok' while the
old option is still available but deprecated.
- The debug option is now really supported as documented.
- We didn't start the ssh-agent if the close_session module
wasn't called correctly but the ssh-agent was killed (e.g.
system crashes). That should be solved in almost all cases now.
- Improved logging
- SECURITY FIX: pam_ssh used a certain prompt if a user found
to exist to ask for the SSH passphrase explicitely depending on
whether the username was valid or invalid, which made it
easier for remote attackers to enumerate usernames.
(CVE-2009-1273)

Posted by Wolfgang Rosenauer 2009-04-13

pam_ssh 1.91 Released

This version includes a security enhancement that disallows blank passphrases. An option is included for reverting to the old behavior.

Posted by Andrew J. Korty 2004-04-12

pam_ssh 1.9 Released

This version is more portable about the way it juggles user IDs when starting the agent. As a result, it works on Linux systems. Also, it tries to run as the user rather than root as much as possible. Other portability changes were made as well, and as a result, pam_ssh now works on Mac OS X systems.

Posted by Andrew J. Korty 2004-02-21

pam_ssh 1.7 released

This version uses Automake, Autoconf, and Libtool, and seems to work on GNU/Linux systems in addition to FreeBSD. Many contributed bug fixes have been imported, and the OpenSSH code has been updated to 3.4p1. Also, a manual page has been added.

Posted by Andrew J. Korty 2002-08-10

pam_ssh 1.6 released

The main new feature in this release is that only one agent process is started per user per host, regardless of the number of concurrent sessions that user has started.

Other changes include a "keyfiles" option to specify which keys to use for authentication and to add to the agent. Also, the OpenSSH code used by pam_ssh was upgraded to 2.9p2.

Posted by Andrew J. Korty 2001-08-20