configurable authenticator

Don Graves dongra at nortelnetworks.com
Tue Apr 10 23:53:27 EST 2001


G'day,

I am new to the list, but not to ssh.  I have been testing openssh for a while,
and in the process, I have been able to modifiy it to meet a special need.  I'll
try to explain:

I have a need to use an external password authentication mechanism in
conjunction with sshd.  The way it works is sshd sends the userid and password
to another program that lives on the same machine as the sshd server via stdin.
This external authenticator takes the userid and password, performs the
authentication (uses its own method) and returns an exit code of 0 on success
(authenticated) and non-0 on failure (not authenticated).  The sshd server uses
this to determine whether or not the user is allowed to remain connected.

I have set it up so that sshd needs to know almost nothing about the external
authenticator.  It just knows that it accepts the userid and password via stdin,
and that it exits with zero or not.  The external authenticator is configured in
sshd_config something like so:

ExternalAuthenticator /usr/local/bin/ext_auth

In my case, ext_auth is a compiled C program that calls up a central
authentication serve, and it does its own syslogging.

I chose to use stdin because passing the password via commandline or a temp file
are obviously insecure methods.  This way, the password only lives in memory
(plus it never goes over the network).

The reason for making this configurable was to make it so that we could upgrade
ext_auth without ever having to touch sshd code.  Also, this gives up an
opportunity to centrally control which users are able to connect to which unix
servers (we have thousands of them).

ext_auth could potentially be anything you want it to be (hook into securid if
you want).

My questions:

1) Would this type of thing be useful to anyone else?
2) Did I reinvent the wheel (keep in mind I did this last summer, then put it
aside for several months)?
3) Would I be able to get this feature into the openssh release cycle somehow?
We don't want to have to edit each new version of openssh.  :-)

Any feedback (positive or negative) would be greatly appreciated.

Thanks,
Don Graves





More information about the openssh-unix-dev mailing list