Food for thought regarding PAM

Andrew Morgan morgan at transmeta.com
Wed Dec 1 08:06:54 EST 1999


I'd like to claim that the patch below is no worse than any other patch
out there. Its actually a great deal cleaner than others that I've seen.
It also adds support (off by default) for a new PAM-only authentication
mode that activates if the client and server have PAM support compiled
in.

I actually have a PAM setup that enables me to use ssh with a
fingerprint reader, something that's exclusive to this PAM-only
authentication mode. There should be no reason why someone (in the free
world) couldn't implement modules that do RSA and other forms of
authentication with respect to the PAM-only mode provided in this patch.
Let's face it, if I can do fingerprint authentication, RSA should be
trivial.

I believe the original post on this thread was concerned with the idea
that it might be better to add full PAM support as a way to address the
problem of adding more and more authentication modes to openssh. I agree
with that sentiment - but then I would wouldn't I :)

If you have a biomouse fingerprint reader, feel free to download the
module/agent combo here:


http://www.kernel.org/pub/linux/libs/pam/pre/modules/pam_biomouseplus-0.50.tar.gz

The ssh patch (which may be a little tricky to apply over the existing
PAM patch in openssh) is here:


http://www.kernel.org/pub/linux/libs/pam/pre/applications/ssh-patch-0.90.tar.gz

And the open source implementation of PAM is here:

 http://www.kernel.org/pub/linux/libs/pam/pre/library/

Mike Fisk wrote:
> Even if we can't find a nice way to do credential-based authentication,

> On Mon, 29 Nov 1999, Tor-Ake Fransson wrote:
> > But... what happens in the special case where you have to pass some strange
> > data, like a login context?

This should be covered.

Cheers

Andrew





More information about the openssh-unix-dev mailing list