i think this is great
Theo E. Schlossnagle
theos at cnds.jhu.edu
Wed Sep 27 00:19:00 EST 2000
Michael Stone wrote:
> If the SSH way of doing things didn't have limitations, people wouldn't
> have to shoehorn anything.
I don't think that is right way of looking at things. I think that SSH's "way
of doing things" lacks some robustness, but there are also real problem with
many PAM implementations (the module side).
The real problem that I faced with SecurID integration using PAM was not that
PAM had to be retrofitted to SSH. The PAM module worked great, but like many
other PAM modules, for
o complicated challenge response
o next token required
o new pin activation dialogue
o change pin required dialogue
the PAM module assumed that it can carry on this dialogue via terminal.
SSH has not yet assigned a terminal at this stage (and frankly shouldn't).
You *could* assign a terminal for this dialogue (which most people with
SecurID do), but that fundamentally breaks things that expect a successful log
in once the password was accepted. (e.g. scp, cvs, rsync, tar, cpio, etc.)
--
Theo Schlossnagle
1024D/A8EBCF8F/13BD 8C08 6BE2 629A 527E 2DC2 72C2 AD05 A8EB CF8F
2047R/33131B65/71 F7 95 64 49 76 5D BA 3D 90 B9 9F BE 27 24 E7
More information about the openssh-unix-dev
mailing list