Food for thought regarding PAM

Tor-Ake Fransson torake at
Tue Nov 30 09:35:59 EST 1999

Despite the fact that i have written pam modules, i am not sure about how it 
really works, and how it would work in this case. ;)

I like the idea of modularizing the authentication, though.

But... what happens in the special case where you have to pass some strange 
data, like a login context?

Example: DCE on AIX logging in algorithm:

1) authenticate, certify and validate. This gives you a login context
2) from the login context apprehended in 1), extract group information and 
set groups
3) throw away the login context apprehended in 1)
3) set uid
4) authenticate with new uid to get a login context. Attach this login 
context to the process to get network credentials.
5) set up the environment (kerberos ticket data access is in the 
6) exec() the shell

And even worse, doing an RSA authentication:
1) Somehow transfer your local credentials to the server to enable accessing 
the public key (can be done with ugly hack at least, i haven't investigated 
further yet -- i know one thing, machine root usually doesn't (and 
shouldn't!) automatically have access to user's files)
2) Try RSA authentication
3) set uid while retaining credentials
4) exec() the shell

Unless I suffer from total misconception conception, i think we (at least I) 
would end up with plowing down work in a number of pam modules of virtually 
no use to the community.

Just my $0.02.

Tor-Åke Fransson
CAE Systems, Scania CV

>From: Mike Fisk <mfisk at>
>To: openssh-unix-dev at
>Subject: Food for thought regarding PAM
>Date: Mon, 29 Nov 1999 17:45:49 +0000 (GMT)
>I'm new to this list, so please forgive me if this has been discussed
>It appears that one of the (commendable) design goals of OpenSSH is to
>re-use existing open-source libraries wherever possible in order to
>simplify the OpenSSH code and hopefully improve security in the process.
>As exhibited by the current, non-open SSH, supporting all of the nuances
>of authentication and logins on multiple platforms creates a lot of cases
>to be handled by the code.
>Would it not be more productive in the long run to create PAM modules that
>support all the various forms of authentication and logins?  Then you can
>keep the SSH code simple, re-use existing vendor and open-source modules,
>and contribute to the set of open-source modules?
>It is true that PAM is not present on many platforms, but I presume
>that PAM could be ported to any system that supports dynamic
>linking and, if necessary, could even be statically linked if
>Again, it may not be the quickest path, but it might be more productive in
>the long run.
>Mike Fisk                   | (505)667-5119 | MS B255
>Network Engineering (CIC-5) |               | Los Alamos National Lab
>mfisk at              | FAX: 665-7793 | Los Alamos, NM  87545

Get Your Private, Free Email at

More information about the openssh-unix-dev mailing list