Is it possible to avoid PAM calls for key based Auth methods

Darren Tucker dtucker at zip.com.au
Tue Feb 15 16:56:35 EST 2005


Senthil Kumar wrote:
> Im using OpenSSH-3.9p1 configured for PAM,krb etc.. When I use Key based 
> auth methods such as Public key,gssapi etc, this skips the 
> pam_authenticate() call and directly calls pam_acct_mgmt(). This results 
> in a failed attempt with few of my own PAM modules. Is there any way to 
> implement this facility to be controlled by a directive in sshd_config.

No, there's no way to avoid that without hacking sshd.  You wanted PAM, 
you got PAM :-)

Potentially, sshd could do a couple of things to the auth type to PAM so 
it could behave differently:

- sshd could set a PAM environment variable containing the authentication 
type.  (Although PAM's configuration syntax is pretty limited.  You could 
have a "sufficient" module early in the stack that returns immediately if 
that variable is set to, eg "public-key").

- sshd could use different PAM service names for the different auth types. 
  (eg "sshd-public-key", "sshd-password", "sshd-gssapi-with-mic" and fall 
back to "sshd" if these don't exists.  This would probably be tricky to 
write because you'd have to stop and start PAM for each auth attempt.)

> I mean PAM calls should not be called for key based Auth methods, 

I disagree with that for the general case: there's many valid reasons to 
call the non-auth PAM functions for non-password auths (eg account expiry, 
session modules).

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.




More information about the openssh-unix-dev mailing list