The auth_via_key function in pam_ssh.c in pam_ssh before 1.92, when the allow_blank_passphrase option is disabled, allows remote attackers to bypass authentication restrictions and use private encryption keys requiring a blank passphrase by entering a non-blank passphrase. Issue does not seem to be fixed in pam_ssh in Fedora. Upstream version 1.92 contains fix: 2007-02-06 Andrew J. Korty <ajk> * pam_ssh.c (key_load_private_maybe): New wrapper for key_load_private() that checks whether the private key's passphrase is blank. If so and if allow_blank_passphrase is set, this function returns NULL. This approach is necessary because key_load_private() will load a key with a blank passphrase regardless of the passphrase entered. Thanks to Rob Henderson for the report. For more info, see Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=439150 or additional references on CVE page: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0844
I didn't saw that there was an update because there was no announce... I'll monitor the files page now. Thanks for the report. The updated package should be soon in the repositories.
pam_ssh-1.92-2.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.