Food for thought regarding PAM

Andrew Morgan morgan at
Wed Dec 1 08:12:06 EST 1999

Markus Friedl wrote:
> fyi, there are different opinions on PAM.
> this is from the lsh-distribution:
> -------------------------------------------------------------------------
> I spent a day reading the PAM documentation. My conclusion was that
> PAM is not at all suited for handling ssh user authentication. There
> are three main problems, the first two of which would be show-stoppers
> for any SSH server, while the last is a problem that affects servers
> like lshd which doesn't fork() for each connection.
> (i) The design of PAM is to hide all details about the actual
> authentication methods used, and that the application should never
> know anything about that. However, ssh user authentication is about
> particular authentication methods. When the client asks which

This sort of thing can be addressed by adding a single additional
PAM-only authentication mode. Something that only gets invoked if the
server and client support it.

> (ii) PAM wants to talk directly to the user, to ask for passwords,
> request password changes, etc. These messages are not abstracted *at*
> *all*, PAM gives the application a string and some display hints, and
> expects a string back as the users response. This mode of operation
> doesn't fit with the ssh user-authentication protocol.

This is the same point as the one above.

> (iii) The PAM conversation function expects the server to ask the user
> some question, block until a response is received, and then return the
> result to PAM. That is very unfriendly to a server using a select()

This is no longer the case. We added support for 'event loop' oriented
servers. Its also a problem that is specific to lsh's design and does
not actually apply to openssh.



More information about the openssh-unix-dev mailing list