Food for thought regarding PAM

Mike Fisk mfisk at
Wed Dec 1 08:16:52 EST 1999

On Tue, 30 Nov 1999, Andrew Morgan wrote:

> I'd like to claim that the patch below is no worse than any other patch
> out there. Its actually a great deal cleaner than others that I've seen.
> It also adds support (off by default) for a new PAM-only authentication
> mode that activates if the client and server have PAM support compiled
> in.

I agree that it's a great design, but I'm very preoccupied by
compatibility with existing SSH clients and servers.  What would be nice
is a way to use PAM within the server for RSA, Kerberos, etc. without
having to use a PAM protocol option.

BTW, I haven't fully groked the BINARY conversation thingy, but how does
it compare to/work with GSS-API?  There are a growing number of daemons
that support GSS-API.

> Mike Fisk wrote:
> > Even if we can't find a nice way to do credential-based authentication,
> > On Mon, 29 Nov 1999, Tor-Ake Fransson wrote:
> > > But... what happens in the special case where you have to pass some strange
> > > data, like a login context?
> This should be covered.
> Cheers
> Andrew

Mike Fisk                   | (505)667-5119 | MS B255
Network Engineering (CIC-5) |               | Los Alamos National Lab
mfisk at              | FAX: 665-7793 | Los Alamos, NM  87545

More information about the openssh-unix-dev mailing list