Food for thought regarding PAM
Andrew Morgan
morgan at transmeta.com
Wed Dec 1 08:12:06 EST 1999
Markus Friedl wrote:
> fyi, there are different opinions on PAM.
> this is from the lsh-distribution:
> -------------------------------------------------------------------------
>
> NO PAM SUPPORT
>
> I spent a day reading the PAM documentation. My conclusion was that
> PAM is not at all suited for handling ssh user authentication. There
> are three main problems, the first two of which would be show-stoppers
> for any SSH server, while the last is a problem that affects servers
> like lshd which doesn't fork() for each connection.
>
> (i) The design of PAM is to hide all details about the actual
> authentication methods used, and that the application should never
> know anything about that. However, ssh user authentication is about
> particular authentication methods. When the client asks which
This sort of thing can be addressed by adding a single additional
PAM-only authentication mode. Something that only gets invoked if the
server and client support it.
> (ii) PAM wants to talk directly to the user, to ask for passwords,
> request password changes, etc. These messages are not abstracted *at*
> *all*, PAM gives the application a string and some display hints, and
> expects a string back as the users response. This mode of operation
> doesn't fit with the ssh user-authentication protocol.
This is the same point as the one above.
> (iii) The PAM conversation function expects the server to ask the user
> some question, block until a response is received, and then return the
> result to PAM. That is very unfriendly to a server using a select()
This is no longer the case. We added support for 'event loop' oriented
servers. Its also a problem that is specific to lsh's design and does
not actually apply to openssh.
Cheers
Andrew
More information about the openssh-unix-dev
mailing list