Porting OpenSSH's authentication to PNIAM

Shesterikov Maxim (sm) ShesMax at ru.hilti.com
Wed Mar 7 18:38:45 EST 2001


We ported OpenSSH's authentication to Pluggable Non-Interactive
Authentication Modules (PNIAM). 
PNIAM is a development effort carried out under GPL in Moscow State
University.

Pluggable Non Interactive Authentication Modules  provide applications with
a 
generic interface to authentication related functions. Actions to be done
for each 
authentication request are specified by a system administrator in terms of
dynamically 
loaded modules. PNIAM design incorporates best ideas of PAM (Pluggable
Authentication 
Modules) project. The main difference between PAM and PNIAM is the target.
The main 
target of PNIAM is a clear and reliable authentication scheme for Internet
servers. 
Internet protocols usually specify a fixed set of requests and replies
between the server 
and the client. It makes the interactive authentication hardly possible.
PNIAM deals with 
a set of requests and replies rather than interacts with the user. That's
why words 
``Non Interactive'' are in the name. 

Request and replies are exchanged using lists of named items.

PNIAM runs on Linux, but it has a generic architecture that allows to port
it to other 
systems, too. AAA modules are system-specific or generic.

We provide variety of authentication, authorization, and accounting modules.

Authentication: 		Using /etc/passwd, /etc/shadow; plain
password, challenge - response, 
				OTP using separate user database;
Authorization: 		Dealing with /etc/passwd, setting chroots, providing
access according to 
				time/terminal name/host name;
Accounting: 		Dealing with lastlog and utmp;
Authentication token	Simple checks, cracklib;
validation: 	
Miscellaneous: 		pniam_rootok, pniam_count,pniam_nologin, pniam_allow
and pniam_deny.

We also incorporated PNIAM support in a quite a few, but important
applications:
	- login
	- passwd
	- su
	- chfn
	- vlock
	- FTP
	- RADIUS
	- OpenSSH

We consider OpenSSH as a crucial component of PNIAM-aware infrastructure. We
ported all 
authentication schemes supported in OpenSSH 2.3.1p1: SSH1, SSH2 including
keyboard-interactive, 
(although discussion with Martin Forssen showed that our implementation is
somewhat incorrect).
OpenSSH's port is used on a experimetal cluster system at MSU. It appears to
be stable and reliable.

>From a technical point of view most of the changes are stored in separate
files. They also contain 
modified versions of auth_: functions. Configure.in script is amended in a
way that it links PNIAM-aware 
files instead of conventional ones if either -with-pniam is specified or
pniam.h is found. There are 
also quite a few places where we ifdef-ed our changes into the main code
trunk:
	- OpenSSH requires from a user to be present in /etc/passwd. This is
not true in PNIAM, because 
	  an authentication stack is the only decider about authentication
success / failures. 
	- This principle also eliminates the need in sshd_config's
configuration parameters dealing 
	  with authentication. As a consequence the server advertises itself
as supporting all known 
	  authentication schemes. The server does not disclose information
about valid authentication 
	  methods.
	- All user credentials are retrieved from PNIAM authorization stack
instead from /etc/passwd
	- Accounting is done through PNIAM's accounting stack, not by the
server itself.

We believe that PNIAM provides Internet community with clear and reliable
AAA architecture. Thus, it 
contributes benefits for all authentication-requiring applications. From our
point of view there are 
mutual gains for PNIAM and OpenSSH, too.

We would like to know whether it is possible to incorporate our changes in
OpenSSH code trunk.

PNIAM home page is at http://www.msu.ru/pniam.html
OpenSSH port is at http://libraftp.narod.ru/pniam.html

Alexey Galatenko <agalat at castle.nmd.msu.ru>
Maxim Shesterikov <shesmax at ru.hilti.com>
Andrey Savochkin <saw at saw.sw.com.sg>





More information about the openssh-unix-dev mailing list