PAM, keyboard interactive, pam-1 at ssh.com, interoperability

Darren Moffat Darren.Moffat at eng.sun.com
Thu Nov 29 06:40:31 EST 2001 

>+ I can configure openssh for PAM, and it works fine (negotiating ssh2
>  keyboard interactive auth method).

Which is the correct way to do it.

>+ I can configure ssh.com-3.0.1 for PAM, and it also works fine
>  (negotiating ssh2 pam-1 at ssh.com auth method).

This is broken, I've told SSH Inc about this, they agreed it was broken
but don't seem to have done anything about it.  There is a discussion
about this in either the openssh-unix-dev archives or the ietf-ssh archives,
I can't remeber where (I know some of it was private email to/from me
and some SSH Inc people).

>* Does anyone have plans to incorporate pam-1 at ssh.com into openssh,
>  or know of plans to incorporate keyboard-interactive into ssh.com's
>  product?

pam-1 at ssh.com should never appear in OpenSSH in my opinion.  Their design
is fundamentally flawed because if a client doesn't say it can do 
pam-1 at ssh.com as an authentication mechanism no PAM code is ever run - this
means that the user can bypass authentication policy.

In OpenSSH if password authentication is used then PAM is used as you have
noticed you can also use keyboard interactive mode to run "non-trivial"
PAM modules.

Even in the case of using PublicKey authentication PAM account managment
functionality is still run in OpenSSH this is not the case in the versions
of SSH Inc code I have reviewed - this comes back to the fundamental flaw
in their design of requiring the client to request PAM authentication.

>* Are the openssh code maintainers open to a contribution of
>  pam-1 at ssh.com support, or is this just too sore a subject for
>  somebody?

The correct way to do this (if the design hadn't been flawed) would be
to create and IETF internet draft (and eventually RFC) so that the @ssh.com
part could be removed.  However Keyboard Interactive which already exists
as an I-D covers everything need to do PAM.

>* Or am I missing something -- do I have more interoperability than
>  I think I do?

One final point.  PAM is a server side API to allow abstraction of code
into a library to simplify applications it is not and never will be an
authentication mechanism in its own right - that ground is covered by GSS.

--
Darren J Moffat

More information about the openssh-unix-dev mailing list