3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds

Darren J Moffat Darren.Moffat at Sun.COM
Wed Nov 19 04:14:58 EST 2003

On Tue, 18 Nov 2003, Peter Stuge wrote:

> On Tue, Nov 18, 2003 at 05:16:06PM +0100, Markus Friedl wrote:
> > IMHO it's PAM's job to control access if PAM is used.
> :) That's the idea, anyway.
> Not that I'm the expert, PAM already confuses me a bit, but I think the
> larger problem is that sshd wants to have some control over the
> authentication process in order to do a couple of things (pubkey,
> hostbased, Kerberos and GSSAPI that I can think of) on it's own.
> Maybe they {sh,c}ould be moved to PAM in some distant future, but even then
> everyone wont be using PAM. It remains the job of sshd.

That isn't particularly easy to do (it also isn't likey to happen in OpenSSH
since PAM doesn't exist on all platforms).  One reason it isn't that easy
to do is because ssh pubkey and GSSAPI need things off the wire, PAM doesn't
have any direct access to the wire.

PAM isn intended to do initial authentication.  GSSAPI does not do inital
authentication and that isn't what it was designed for.

GSS auth shouldn't be done as a PAM module even if it could be.

Darren J Moffat

More information about the openssh-unix-dev mailing list