PAM, keyboard interactive, pam-1 at ssh.com, interoperability
carl at bl.echidna.id.au
carl at bl.echidna.id.au
Thu Nov 29 10:06:50 EST 2001
> From: Damien Miller <djm at mindrot.org>
>
> On Thu, 29 Nov 2001 carl at bl.echidna.id.au wrote:
>
> > > Why do we want to introduce a proprietary exchange into our client
> > > to support a commercial vendor who won't implement the standard
> > > (kbd-interactive) way of doing such things?
> >
> > Because sometimes compromise is a good way to reach a goal. You're
> > not supporting a commercial vendor, you're supporting your users.
>
> SSH.COM is not Microsoft and we are not Samba.
True :)
> The ssh.com's PAM support
> is broken anyway (cf. Darren's message) and there is a better _standard_
> exchange for doing such things.
Again, True. NFS was a (arguably better) standard a long time
before there was SMB too. But, you're not doing Samba, and
SSH.COM isn't Microshaft, the compromises that that team do to
interoperate with a hostile vendor don't apply, because
OpenSSH doesn't have to interoperate with anyone :) Least of all
someone who was there first, and who you took the original code
from! Remember that SSH.COM was there first, and started the whole
thing.
> If the users of said commerical vendor need better PAM support, they
> should switch to OpenSSH (cf Darren's message again).
In an ideal world, sure, everyone would use OpenSSH (or FreSSH or
whatever ...). But, this isn't an ideal world. For the sake
of interoperability (and thus, supporting users who must live in
the real world :) ), sometimes it's ok to compromise an ideal to
reach a goal. You don't have to, it's your baby, but you don't need
to can the idea if it's mentioned. The strength of UNIX is that
it's flexible and can talk to anything, that's not a bad claim to
fame. Where would we be if Eric Allman didn't make sendmail
interact better with M$'s broken SMTP AUTH? If Apache
insisted on only supporting "proper" HTTP? If Mozilla only parsed
100% legal HTML (if anyone can define that anyway?). If
your resolver library rejected A records with _'s in them? The world's
full of these compromises. It's how we get stuff done. OpenSSH
is a tool to to a job. The job is secure, authenticated
connections between computers. If a few compromises here and
there get made to help it interact with other vendors (broken
or otherwise), is that such a bad thing? Unless (and even if
it does, qf sendmail and SMTP AUTH) it breaks a security
requirement, and even then, it could/should warn, rather than
forbid.
Carl (not wanting to start any sort of religious war, and having
made my point, not saying any more on the issue :) )
More information about the openssh-unix-dev
mailing list