Food for thought regarding PAM

Andrew Morgan morgan at transmeta.com
Wed Dec 1 08:27:55 EST 1999


Mike Fisk wrote:
> I agree that it's a great design, but I'm very preoccupied by
> compatibility with existing SSH clients and servers.  What would be nice
> is a way to use PAM within the server for RSA, Kerberos, etc. without
> having to use a PAM protocol option.

Believe me, I've thought about this long and hard. I think there is a
small chance that one might be able to subvert the binary message stream
within the server to transform such prompts into something that a PAM
unaware client might grok, but without a working module/agent pair for
something like RSA, its hard to determine if the details work out.

> BTW, I haven't fully groked the BINARY conversation thingy, but how does
> it compare to/work with GSS-API?  There are a growing number of daemons
> that support GSS-API.

I looked at the GSS-API stuff a few years ago, and decided that it was
too immature and somewhat baroque. To be frank, I've igored it since -
in the mean time it has evidently matured... If you want to email me
some documentation pointers (privately), I'll take a look and make some
attempt to write up a summary.

Cheers

Andrew





More information about the openssh-unix-dev mailing list