PAM & Configure

Smith, Donald Donald.Smith at qwest.com
Thu Jan 18 04:41:12 EST 2001 

Damien having said that PAM is an unmanagable pain what is the 
objection to haveing Theo Schlossnagle's securid patch included into the cvs
tree?

The pam+kbdinteractive is not a solution if you have to support older ssh
clients (protocal 1).

Donald.Smith at qwest.com IP Engineering Security
303-226-9939/0688 Office/Fax
720-320-1537 cell

> -----Original Message-----
> From: Damien Miller [mailto:djm at mindrot.org]
> Sent: Tuesday, January 16, 2001 6:07 PM
> To: Darren J Moffat
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: PAM & Configure
> 
> 
> On Tue, 16 Jan 2001, Darren J Moffat wrote:
> 
> > Damien Miller wrote:
> > > The change was made because there is no workable way to 
> make PAM work
> > > 'out of the box'. Each vendor implements PAM a little 
> differently and
> > > there appears to be no standard on the naming of modules 
> or the augments
> > > they take.
> > 
> > Just a point to note here; SSHD as an application should NOT be
> > dependant on any module existing. Applications should not assume
> > anything about what modules are available since this breaks 
> the entire
> > concept of what PAM is all about. If this is the reason why PAM is
> > being disabled then there are wrong assumptions in SSHD 
> about what PAM
> > should be doing and those should be fixed.
> 
> sshd doesn't, but how are you supposed to install a default 
> configuration file if there is not set of standard modules with
> standard arguments?
> 
> > Could you give a summary of what problems there were with the PAM
> > framework being different on platforms specifically how that relates
> > to OpenSSH ?
> 
> There is no way to cleanly install a default config across the various
> versions of PAM. Different implementations use different modules with
> different arguments (even pam_unix.so can't be trusted to 
> have the same
> args between different Linux distributions).
> 
> The PAM API is annoying in that it has been (presumably) 
> crafted to fit
> the needs of login or telnet. i.e get a bit of information at a time, 
> return textual prompts and then get the next bit. We have to resort to
> kludges (the conversation function which assumes ECHO_OFF prompts are
> asking for passwords) to get the username and password into 
> PAM in the 
> first place.
> 
> The SSH2 KbdInteractive auth mode is a better match to the PAM way of 
> doing things, but it would be nice if PAM had more flexability in its
> API.
> 
> My other gripe about PAM (unrelated to ssh) is that it 
> doesn't seperate
> mechanism and policy. Specifying .so files with magic options 
> is just too
> fragile.
> 
> > FYI PAM was proposed to X/Open as a draft standard but never got
> > completed, 
> > AFAIK Linux and Solaris are similar in most respects for PAM.
> > Solaris implements what was in the standard but Linux went off and
> > "embraced
> > and extended (with source available)" and made enhancements 
> and changes
> > to this.
> 
> Has there been any movement towards reworking the standard?
> 
> -d
> 
> -- 
> | ``We've all heard that a million monkeys banging on | 
> Damien Miller -
> | a million typewriters will eventually reproduce the | 
> <djm at mindrot.org>
> | works of Shakespeare. Now, thanks to the Internet, / 
> | we know this is not true.'' - Robert Wilensky UCB / 
http://www.mindrot.org

More information about the openssh-unix-dev mailing list