Is it possible to avoid PAM calls for key based Auth methods
Nicolas Williams
Nicolas.Williams at sun.com
Wed Feb 16 14:37:13 EST 2005
On Wed, Feb 16, 2005 at 02:03:07PM +1100, Darren Tucker wrote:
> Nicolas Williams wrote:
> >You really don't want to do this as this means making modules aware of
> >ssh protocol specific details just so you can configure each ssh
> >authentication method differently.
>
> Yeah, but not being responsible for the PAM stacks I don't care so much
> about that :-) Seriously, this just points out how limited the PAM
> configuration mechanism is.
I don't agree.
> >>- sshd could use different PAM service names for the different auth
> >>types. (eg "sshd-public-key", "sshd-password", "sshd-gssapi-with-mic"
> >> and fall back to "sshd" if these don't exists. This would probably be
> >>tricky to write because you'd have to stop and start PAM for each auth
> >>attempt.)
> >
> >Solaris 10's sshd does this. See:
>
> Will it attempt to fall back to "sshd" if the specific PAM service does
> not exist (or do you just end up with "other")?
PAM doesn't provide a way to detect what services are configured, so it
falls back on "other."
> >The service names it uses are:
> >
> > - sshd-none
> > - sshd-password
> > - sshd-kbdint
> > - sshd-pubkey
> > - sshd-hostbased
> > - sshd-gssapi (for both, gssapi-keyex and gssapi-with-mic)
> >
> >You might want to use those too...
>
> Those do not agree with the defaults in the ssh_config(4) man page (at
> least the one online at
> http://docs.sun.com/app/docs/doc/816-5174/6mbb98uk5?a=view)
sshd_config(4)'s reference to "PamSvcFor*" is incorrect. A man page bug
was filed recently about this. See sshd(1M) instead:
http://docs.sun.com/app/docs/doc/816-5166/6mbb1kqh7?a=view
> (On an unrelated note I see MaxAuthTries and MaxAuthTriesLog are still
> undocumented...)
Indeed. I'll file a bug report.
Nico
--
More information about the openssh-unix-dev
mailing list