Food for thought regarding PAM
Mike Fisk
mfisk at lanl.gov
Tue Nov 30 10:18:19 EST 1999
I'm only now delving into issues such as ticket passing with PAM.
There is a mentioned but undocumented part of the PAM conversation
mechanism in the current Linux-PAM documentation that mentions
PAM_BINARY_PROMPT and PAM_BINARY_MSG for this kind of problem.
The following note in the pam-list archives says that it was developed
by Andrew Morgan and Andrey Vladimirovich with SSH in mind. Andrew's
patches to SSH are at:
http://www.kernel.org/pub/linux/libs/pam/pre/applications/ssh-patch-0.90.tar.gz
Unfortunately, those patches aren't compatible with the existing SSH
protocol messages for Kerberos, RSA, etc.
Even if we can't find a nice way to do credential-based authentication,
it would still be useful for password based authentications (all the
junk in auth-passwd.c) and the platform-specific login code in sshd.c.
On Mon, 29 Nov 1999, Tor-Ake Fransson wrote:
> Despite the fact that i have written pam modules, i am not sure about how it
> really works, and how it would work in this case. ;)
>
> I like the idea of modularizing the authentication, though.
>
> But... what happens in the special case where you have to pass some strange
> data, like a login context?
>
> Example: DCE on AIX logging in algorithm:
=====================================================================
Mike Fisk | (505)667-5119 | MS B255
Network Engineering (CIC-5) | | Los Alamos National Lab
mfisk at lanl.gov | FAX: 665-7793 | Los Alamos, NM 87545
More information about the openssh-unix-dev
mailing list