X.509 support in ssh via PAM?

Peter Watkins peterw at usa.net
Thu Jan 24 05:49:37 EST 2002


On Wed, Jan 23, 2002 at 10:21:39AM -0800, Anne Carasik wrote:

> I don't remember who said this, as this was a while back. All I remember
> is the PKI thingy, and everyone was trying to do something with it.
> 
> From a sysadmin standpoint, I'd like to be able to manage user keys with
> PKI.
> 
> You can probably do that with PAM, right?

Maybe halfway, if that, right? Most of us, I'd wager, are more concerned
about managing/certifying host keys, so a client knows[0] the sshd is
legit, that there's no MITM attack going on. And all the PAM hooks right
now are in the sshd code, so PAM wouldn't come into play here. Is PAM
usable, or appropriate, for use on the *client* side, for verifying the
key presented by the sshd?

PAM could be useful for the other way around. If the sshd were told to 
treat "sshpeer.example.com" as a trusted host, then sshd would need a way 
of verifying the key presented by the client. Clearly PAM might work there, 
if such a PAM module were to exist.

But since OpenSSH already uses OpenSSL, wouldn't it make more sense just to 
leverage the OpenSSL code instead?

-Peter

[0] not Ben's client, but those of us who might enable PKI :-)

-- 
We must all learn to live together as brothers,
or we will all perish as fools. - Dr Martin Luther King, Jr



More information about the openssh-unix-dev mailing list