Re: PAM bashing (was Re: kerberos support in ssh/lsh)

To: Brian May <bmay@csse.monash.edu.au>
Cc: debian-devel@lists.debian.org
Subject: Re: PAM bashing (was Re: kerberos support in ssh/lsh)
From: Jason Gunthorpe <jgg@ualberta.ca>
Date: Thu, 19 Oct 2000 20:45:22 -0600 (MDT)
Message-id: <Pine.LNX.3.96.1001019203002.7396Q-100000@wakko>
Reply-to: Jason Gunthorpe <jgg@ualberta.ca>
In-reply-to: <x3rzok0z8m1.fsf@lyell.csse.monash.edu.au>

On 20 Oct 2000, Brian May wrote:

> The upstream author of lsh (GPL replacement for ssh v2) has said quite
> strongly (in the heimdal-discuss mailing list) that he is not going to
> support PAM, as the design of ssh doesn't support PAM.

If he doesn't support PAM for password only authentication and environment
setup then he is making a grave mistake and we will have to patch it
before it could really be properly used in Debian..

PAM has a major failing when dealing with non-local authentication
methods (:<) but this basically degenerates into meaning you can't use
some neat modules (like OTP), you can't use CHAP systems, and you can't
use things that don't make sense (like local smart card readers on the
server)

Supposidly PAM does have a binary authenticator interface (I don't know
the details, but this is supposidly how the Kerb stuff works) but the
trouble is that it isn't really workable because the protocol is set by
PAM (he got this right)

But, you *can* use pam for the simple case of authorizing a single
password rather well. (he got this right too)

However, there is a whole area that PAM does rather well at, and that is
local environment setup, control and such forth (session, account,
password changing, etc). This is a fairly common use, for instance all the
Debian.org servers use PAM to perform home directory creation on login. 
PAM modules provide MOTD's, wtmp logging, etc that were traditionally
provided by applications.

This is a big, important feature that he completely overlooked. IMHO even
if PAM is a failure at arbitary protocol authentication it succeeds here
at least.

> I wondered: how does openssh cope?

It has a pseudo 'chat' (right word?) function that only responds with the
network password from the client. This is about the best you can do with
the old ssh protocol. ssh2 is supposed to be better.. 

Frankly, he is dead right. Someone should sit down and extend PAM to work
with arbitary CHAP systems at least, it is a messy problem but I think
solvable. This must mean changing PAM because the network protocols are
already fixed.

Example: ppp-pam cannot use pam_smb to authenticate a MS ppp user using an
ecrypted password passed through to an authorization server like Samba.
IIRC this requires a challenge to originate from the samba server, pass
through pam, get encoded by ppp, go to the client and get returned all the
way back.

Jason

Reply to:

Follow-Ups:
- Re: PAM bashing (was Re: kerberos support in ssh/lsh)
  - From: Brian May <bmay@csse.monash.edu.au>

References:
- PAM bashing (was Re: kerberos support in ssh/lsh)
  - From: Brian May <bmay@csse.monash.edu.au>

Prev by Date: Re: Another solution (was Re: All services that require a restart from libc6 upgrade...)
Next by Date: Re: SGMLTools-Lite
Previous by thread: PAM bashing (was Re: kerberos support in ssh/lsh)
Next by thread: Re: PAM bashing (was Re: kerberos support in ssh/lsh)
Index(es):
- Date
- Thread