Food for thought regarding PAM

Mike Fisk mfisk at
Tue Nov 30 10:18:19 EST 1999

I'm only now delving into issues such as ticket passing with PAM. 
There is a mentioned but undocumented part of the PAM conversation
mechanism in the current Linux-PAM documentation that mentions
PAM_BINARY_PROMPT and PAM_BINARY_MSG for this kind of problem.

The following note in the pam-list archives says that it was developed
by Andrew Morgan and Andrey Vladimirovich with SSH in mind.   Andrew's
patches to SSH are at:

Unfortunately, those patches aren't compatible with the existing SSH
protocol messages for Kerberos, RSA, etc.  

Even if we can't find a nice way to do credential-based authentication,
it would still be useful for password based authentications (all the
junk in auth-passwd.c) and the platform-specific login code in sshd.c.

On Mon, 29 Nov 1999, Tor-Ake Fransson wrote:

> Despite the fact that i have written pam modules, i am not sure about how it 
> really works, and how it would work in this case. ;)
> I like the idea of modularizing the authentication, though.
> But... what happens in the special case where you have to pass some strange 
> data, like a login context?
> Example: DCE on AIX logging in algorithm:

Mike Fisk                   | (505)667-5119 | MS B255
Network Engineering (CIC-5) |               | Los Alamos National Lab
mfisk at              | FAX: 665-7793 | Los Alamos, NM  87545

More information about the openssh-unix-dev mailing list