Is it possible to avoid PAM calls for key based Auth methods
Darren Tucker
dtucker at zip.com.au
Wed Feb 16 14:03:07 EST 2005
Nicolas Williams wrote:
> You really don't want to do this as this means making modules aware of
> ssh protocol specific details just so you can configure each ssh
> authentication method differently.
Yeah, but not being responsible for the PAM stacks I don't care so much
about that :-) Seriously, this just points out how limited the PAM
configuration mechanism is.
>>- sshd could use different PAM service names for the different auth types.
>> (eg "sshd-public-key", "sshd-password", "sshd-gssapi-with-mic" and fall
>>back to "sshd" if these don't exists. This would probably be tricky to
>>write because you'd have to stop and start PAM for each auth attempt.)
>
> Solaris 10's sshd does this. See:
Will it attempt to fall back to "sshd" if the specific PAM service does
not exist (or do you just end up with "other")?
> The service names it uses are:
>
> - sshd-none
> - sshd-password
> - sshd-kbdint
> - sshd-pubkey
> - sshd-hostbased
> - sshd-gssapi (for both, gssapi-keyex and gssapi-with-mic)
>
> You might want to use those too...
Those do not agree with the defaults in the ssh_config(4) man page (at
least the one online at
http://docs.sun.com/app/docs/doc/816-5174/6mbb98uk5?a=view)
(On an unrelated note I see MaxAuthTries and MaxAuthTriesLog are still
undocumented...)
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list