PAM, keyboard interactive, pam-1 at ssh.com, interoperability

Thu Nov 29 10:06:50 EST 2001

> From: Damien Miller <djm at mindrot.org>
> 
> On Thu, 29 Nov 2001 carl at bl.echidna.id.au wrote:
> 
> > > Why do we want to introduce a proprietary exchange into our client
> > > to support a commercial vendor who won't implement the standard 
> > > (kbd-interactive) way of doing such things?
> > 
> > Because sometimes compromise is a good way to reach a goal.  You're 
> > not supporting a commercial vendor, you're supporting your users.
> 
> SSH.COM is not Microsoft and we are not Samba.

True :)

> The ssh.com's PAM support
> is broken anyway (cf. Darren's message) and there is a better _standard_
> exchange for doing such things. 

Again, True.  NFS was a (arguably better) standard a long time 
before there was SMB too.  But, you're not doing Samba, and 
SSH.COM isn't Microshaft, the compromises that that team do to 
interoperate with a hostile vendor don't apply, because 
OpenSSH doesn't have to interoperate with anyone :)  Least of all
someone who was there first, and who you took the original code 
from!  Remember that SSH.COM was there first, and started the whole
thing.  

> If the users of said commerical vendor need better PAM support, they 
> should switch to OpenSSH (cf Darren's message again).

In an ideal world, sure, everyone would use OpenSSH (or FreSSH or
whatever ...).  But, this isn't an ideal world.  For the sake
of interoperability (and thus, supporting users who must live in
the real world :) ), sometimes it's ok to compromise an ideal to
reach a goal.  You don't have to, it's your baby, but you don't need
to can the idea if it's mentioned.  The strength of UNIX is that
it's flexible and can talk to anything, that's not a bad claim to
fame.  Where would we be if Eric Allman didn't make sendmail 
interact better with M$'s broken SMTP AUTH?  If Apache
insisted on only supporting "proper" HTTP?  If Mozilla only parsed 
100% legal HTML (if anyone can define that anyway?). If
your resolver library rejected A records with _'s in them?  The world's
full of these compromises.  It's how we get stuff done.  OpenSSH
is a tool to to a job.  The job is secure, authenticated
connections between computers.  If a few compromises here and 
there get made to help it interact with other vendors (broken
or otherwise), is that such a bad thing?  Unless (and even if 
it does, qf sendmail and SMTP AUTH) it breaks a security 
requirement, and even then, it could/should warn, rather than
forbid.

Carl (not wanting to start any sort of religious war, and having
made my point, not saying any more on the issue :) )