Niels Möller wrote:
> > At first glimpse, it does appear to be a problem. The way ssh works, the
> > server and client deduce a mutually supported list of authentication
> > methods and then the server picks the one that it feels is strongest.
> > There are two approaches to getting PAM into this picture:
>
> Hmm, ssh2 user authentication does not work quite like that. The
> client tries one authentication method at a time. The server responds
> with either "success", "failure", "partial success, but more
> authentiction is needed", or some method specific message like "please
> choose a new password". In the failure and partial success cases, the
> server also sends the client a list of methods which are likely
> (although in no way guaranteed) to provide some progress in
> authentication.
OK, I was a little sloppy. This was my sketchy(poor) recollection from
ssh-1.2.x which was what Andrey and I wrote our patch for.
PAM is a little more sophisticated than this. You can build logic into
the authentication sequence that PAM will use. For example, the admin
might adopt the following policy: if the applicant is attempting to
become root, then lets ask him for a retinal scan; lesser users can
simply get by with a one time password the guest user need only submit
an email address (which may or may not be be verified before the user is
permitted access). PAM provides a rich syntax for the local system
administrator to dynamically reconfigure the local authentication
policy. Something that once the server has support for it, can be
changed as often as desired without recompiling the server (lshd).
By design, the PAM modules are intended to be independent of the
application they are used with. PAM is, in principle, capable of
dynamically reproducing the whole gamut of currently supported (by ssh)
authentication schemes plus others yet to be implemented.
> So the server really needs to be able to query the backend, be it PAM
> or something else, for its supported methods. And it must be able to
> try specific methods, one at a time.
Since all methods can be supported by PAM, its not actually clear why
the application needs to care which one was used: just let the admin
configure his specified selection and let PAM deal with it.
> It seems somewhat against the spirit of PAM to have specialized
> application-specific PAM-modules. With PAM, you really want to use the
> same, say, passwd-module or .authorized_keys-module for all
> applications where you want to allow that authentication method.
I guess I wasn't clear here. PAM is not a specific authentication
method. Its a generic API that is the front end to all and any
(combination of) authentication methods. The local admin is responsible
for which ones/combinations are to be chosen. In other words, by
supporting PAM, you'll be implicitly adding support for all/any
authentication scheme.
> 1. A mechanism to get a listing of supported authentication
> methods.
I guess I'm so close to PAM, that I cannot see why this would be
necessary. Since the sysadmin owns the server, it seems as if he's the
one to specify exactly what combination/order of authentications will
get individual users into his system. Other than supporting the PAM API,
what more does the client/server need to agree on?
> 2. A mechanism to attempt authentication using a method chosen _by the
> application_.
Again, getting a binary compiled every time one (re)makes this decision
is the problem PAM was invented to address. PAM liberates the
application writer from caring about which authentication method is to
be used and puts it squarely in the hands of the sysadmin.
> A redesigned conversation mechanism that improves two things:
>
> 3. Support for event-driven (or non-blocking) operation.
80% done.
> 4. An extra message field saying what the authentication module really
> wants. The interpretation if this field will naturally depend on
> the actual authentication method used. So it is probably pretty
> meaningless for applications that does not use (2). This field
> would actually be a pair, <authentication method, message>.
Given what PAM is supposed to do, is this still of concern? If so
perhaps you could elaborate?
Thanks!
Andrew
