two factor authentication

Douglas E. Engert deengert at anl.gov
Wed Jul 26 00:27:27 EST 2006



David Leonard wrote:

> Frank Cusack wrote:
> 
>>On July 24, 2006 8:57:32 PM +0000 Jefferson Ogata <Jefferson.Ogata at noaa.gov> wrote:
>>  
>>
>>>And the patches were what I was drawing attention to. But since sshd is
>>>largely about strong authentication, it would be nice to see it natively
>>>support per-user configuration of multiple required authentication methods.
>>>    
>>
>>I definitely agree with that!
>>  
> 
> 
> I'm all for multiple-auth in sshd, but the current impl appears to 
> conflict with an obscure feature of RFC4462 that I have been trying to 
> implement, namely where the username field can start off blank and the 
> server deduces the username from the credentials. 

I would not quite call it obscure, but an important feature that ssh
needs to support. The user may have credentials, such as Kerbero tickets
or Globus proxy certificates, both using GSSAPI, and wants to connect to
some machine using these "network" credentials. The machine should be able
to determine what local unix account to use in this case if no specific
user name is provided.

In some cases a different temporary unix account might be assigned for each
session. ssh should not require the user to supply the local unix account to
use in these situations when other credentials can be used to determine
the local account.

OpenSSH in the past has checked the pam_user to make sure it was not changed
by the pam routines, rather the accepting that pam routines have decided to
use a different user name then the one supplied by the user which goes against
this concept of determining the user from the network credentials.


> Has anyone else looked 
> at this? sshd currently rejects connections when the username field 
> changes between separate auth attempts.
> 
> d
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the openssh-unix-dev mailing list