Food for thought regarding PAM
torake at hotmail.com
Tue Nov 30 09:35:59 EST 1999
Despite the fact that i have written pam modules, i am not sure about how it
really works, and how it would work in this case. ;)
I like the idea of modularizing the authentication, though.
But... what happens in the special case where you have to pass some strange
data, like a login context?
Example: DCE on AIX logging in algorithm:
1) authenticate, certify and validate. This gives you a login context
2) from the login context apprehended in 1), extract group information and
3) throw away the login context apprehended in 1)
3) set uid
4) authenticate with new uid to get a login context. Attach this login
context to the process to get network credentials.
5) set up the environment (kerberos ticket data access is in the
6) exec() the shell
And even worse, doing an RSA authentication:
1) Somehow transfer your local credentials to the server to enable accessing
the public key (can be done with ugly hack at least, i haven't investigated
further yet -- i know one thing, machine root usually doesn't (and
shouldn't!) automatically have access to user's files)
2) Try RSA authentication
3) set uid while retaining credentials
4) exec() the shell
Unless I suffer from total misconception conception, i think we (at least I)
would end up with plowing down work in a number of pam modules of virtually
no use to the community.
Just my $0.02.
CAE Systems, Scania CV
>From: Mike Fisk <mfisk at lanl.gov>
>To: openssh-unix-dev at mindrot.org
>Subject: Food for thought regarding PAM
>Date: Mon, 29 Nov 1999 17:45:49 +0000 (GMT)
>I'm new to this list, so please forgive me if this has been discussed
>It appears that one of the (commendable) design goals of OpenSSH is to
>re-use existing open-source libraries wherever possible in order to
>simplify the OpenSSH code and hopefully improve security in the process.
>As exhibited by the current, non-open SSH, supporting all of the nuances
>of authentication and logins on multiple platforms creates a lot of cases
>to be handled by the code.
>Would it not be more productive in the long run to create PAM modules that
>support all the various forms of authentication and logins? Then you can
>keep the SSH code simple, re-use existing vendor and open-source modules,
>and contribute to the set of open-source modules?
>It is true that PAM is not present on many platforms, but I presume
>that PAM could be ported to any system that supports dynamic
>linking and, if necessary, could even be statically linked if
>Again, it may not be the quickest path, but it might be more productive in
>the long run.
>Mike Fisk | (505)667-5119 | MS B255
>Network Engineering (CIC-5) | | Los Alamos National Lab
>mfisk at lanl.gov | FAX: 665-7793 | Los Alamos, NM 87545
Get Your Private, Free Email at http://www.hotmail.com
More information about the openssh-unix-dev