Is it possible to avoid PAM calls for key based Auth methods
Darren Tucker
dtucker at zip.com.au
Tue Feb 15 16:56:35 EST 2005
Senthil Kumar wrote:
> Im using OpenSSH-3.9p1 configured for PAM,krb etc.. When I use Key based
> auth methods such as Public key,gssapi etc, this skips the
> pam_authenticate() call and directly calls pam_acct_mgmt(). This results
> in a failed attempt with few of my own PAM modules. Is there any way to
> implement this facility to be controlled by a directive in sshd_config.
No, there's no way to avoid that without hacking sshd. You wanted PAM,
you got PAM :-)
Potentially, sshd could do a couple of things to the auth type to PAM so
it could behave differently:
- sshd could set a PAM environment variable containing the authentication
type. (Although PAM's configuration syntax is pretty limited. You could
have a "sufficient" module early in the stack that returns immediately if
that variable is set to, eg "public-key").
- sshd could use different PAM service names for the different auth types.
(eg "sshd-public-key", "sshd-password", "sshd-gssapi-with-mic" and fall
back to "sshd" if these don't exists. This would probably be tricky to
write because you'd have to stop and start PAM for each auth attempt.)
> I mean PAM calls should not be called for key based Auth methods,
I disagree with that for the general case: there's many valid reasons to
call the non-auth PAM functions for non-password auths (eg account expiry,
session modules).
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list