Theo E. Schlossnagle jesus at
Tue Mar 20 14:28:43 EST 2001

Dan Kaminsky wrote:
> > >     Any objection to a "Userspace PAM", i.e. a password authenticating
> > > equivalent to ProxyCommand for proxy tunneling?  I'd probably name it
> > > AuthCommand.
> >
> > I don't understand what you are proposing.
> AuthCommand "/usr/bin/secureid_check $username
> $password"

I don't understand.  There are existing PAM SecurID implementations.  OpenSSH
already supports PAM.  It uses the kbd-interactive feature in protocol 2 of
ssh.  There are also implementations that will just do "dumb" SecurID
authentication using a normal PAM security check module.

PAM is great.. This is what it is designed for.

The reason there is a patch is that SecurID can have multiple interaction
before a successful login (it can request the next FOB token).  So, it needs
to be integrated with SSH so that services like CVS and rsync will still
work.  ssh1 is still used widely (as a client), so supporting it only via PAM
won't work (needs ssh2 to work right).

I will talk with Damien directly about putting the patch in contrib/.

Theo Schlossnagle
1024D/A8EBCF8F/13BD 8C08 6BE2 629A 527E  2DC2 72C2 AD05 A8EB CF8F
2047R/33131B65/71 F7 95 64 49 76 5D BA  3D 90 B9 9F BE 27 24 E7

More information about the openssh-unix-dev mailing list