New PAM code landing (at last)

Damien Miller djm at
Sat May 10 19:20:58 EST 2003

Hello all,

The long-mooted PAM merge from FreeBSD is starting _now_. This replaces
the PAM password auth kludge that we have used until now with a discrete
challenge-response module. This module is invoked via
keyboard-interactive for protocol 2 or TIS auth for protocol 1.

Warning: this is a large change and will probably break things. It has
only been tested with basic password auth modules and not at all (by me)
on non-Linux systems (I put out test requests on snapshots of this, but
nobody responded...) On the other hand, this code has been shipping and
working in FreeBSD for a while.

For those interested, this is pretty much exactly what is in FreeBSD's
tree, with a few s/pam_xxx/sshpam_xxx/ substitutions. These are to avoid
potential namespace clashes against the PAM library itself. I have no
idea whether there are any such conflicts in the symbols in auth-pam.c,
but we made a similar change in the old auth-pam.c quite a while ago at
the request of someone at Sun.

Also note that we do not enable and have no intention of enabling the
thread support - we don't want the complexity of theads in the monitor.
The code is still there at the moment (#ifdef'd out), but will likely
disappear from our tree in the future. I'll try to remove it in such a
way that the FreeBSD developers don't end up in #ifdef hell putting it
back in their tree.

The repository will be tagged with BEFORE_FREEBSD_PAM_MERGE and
AFTER_FREEBSD_PAM_MERGE tags to make diffing / reverting easier.

We are a long way from the next release, so we have plenty of time to
make this work properly. Doing this will require a lot of testing, so I
encourage everyone on a PAM system to try out the new code and report
back ASAP.


More information about the openssh-unix-dev mailing list