PAM & Configure

Damien Miller djm at mindrot.org
Wed Jan 17 12:07:15 EST 2001 

On Tue, 16 Jan 2001, Darren J Moffat wrote:

> Damien Miller wrote:
> > The change was made because there is no workable way to make PAM work
> > 'out of the box'. Each vendor implements PAM a little differently and
> > there appears to be no standard on the naming of modules or the augments
> > they take.
> 
> Just a point to note here; SSHD as an application should NOT be
> dependant on any module existing. Applications should not assume
> anything about what modules are available since this breaks the entire
> concept of what PAM is all about. If this is the reason why PAM is
> being disabled then there are wrong assumptions in SSHD about what PAM
> should be doing and those should be fixed.

sshd doesn't, but how are you supposed to install a default 
configuration file if there is not set of standard modules with
standard arguments?

> Could you give a summary of what problems there were with the PAM
> framework being different on platforms specifically how that relates
> to OpenSSH ?

There is no way to cleanly install a default config across the various
versions of PAM. Different implementations use different modules with
different arguments (even pam_unix.so can't be trusted to have the same
args between different Linux distributions).

The PAM API is annoying in that it has been (presumably) crafted to fit
the needs of login or telnet. i.e get a bit of information at a time, 
return textual prompts and then get the next bit. We have to resort to
kludges (the conversation function which assumes ECHO_OFF prompts are
asking for passwords) to get the username and password into PAM in the 
first place.

The SSH2 KbdInteractive auth mode is a better match to the PAM way of 
doing things, but it would be nice if PAM had more flexability in its
API.

My other gripe about PAM (unrelated to ssh) is that it doesn't seperate
mechanism and policy. Specifying .so files with magic options is just too
fragile.

> FYI PAM was proposed to X/Open as a draft standard but never got
> completed, 
> AFAIK Linux and Solaris are similar in most respects for PAM.
> Solaris implements what was in the standard but Linux went off and
> "embraced
> and extended (with source available)" and made enhancements and changes
> to this.

Has there been any movement towards reworking the standard?

-d

-- 
| ``We've all heard that a million monkeys banging on | Damien Miller -
| a million typewriters will eventually reproduce the | <djm at mindrot.org>
| works of Shakespeare. Now, thanks to the Internet, / 
| we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org

More information about the openssh-unix-dev mailing list