PAM merge from FreeBSD
Frank Cusack
fcusack at fcusack.com
Sat Jan 11 00:47:32 EST 2003
On Fri, Jan 10, 2003 at 11:45:27PM +1100, Damien Miller wrote:
> Frank Cusack wrote:
> > On Fri, Jan 10, 2003 at 04:57:01PM +1100, Damien Miller wrote:
> >
> >>Frank Cusack wrote:
> >>
> >>>I like the idea of only doing PAM via kbdint, but that's not going to work
> >>>for a very large number of people.
> >>
> >>Why is that?
> >
> > It means you can only use PAM for clients that support kbdint.
>
> Just about everyone supports kbdint these days (OpenSSH has for two
> years), most of who don't are ssh1 only - which are supported through
> TIS auth anyway.
I wasn't aware that kbdint was so widespread.
TIS auth doesn't support PAM correctly.
- can't pass info messages (although this isn't done correctly by openssh
anyway)
- can't pass the echo/don't echo flag
- can't have multiple exchanges
As a server admin, I would never use TIS for PAM unless I was strictly doing
challenge/response. I would assume that the client is going to echo the
"response" entry.
/fc
More information about the openssh-unix-dev
mailing list