> I don't really know anything about the PAM, so I cannot say if it can
> be implemented using userauth or not.
>
> > (ii) PAM wants to talk directly to the user, to ask for passwords,
> > request password changes, etc. These messages are not abstracted *at*
> > *all*, PAM gives the application a string and some display hints, and
> > expects a string back as the users response. This mode of operation
> > doesn't fit with the ssh user-authentication protocol.
My model for PAM is that user logs into his desktop, and PAM acquires all the
credentials necessary to seamlessly access other services.
For example I have a kerberized pam module that does the equivalent of kinit
for me, and stores the kerberos creds in a temporary file.
When using kerberized telnet, the client client side of telnet doesn't care
about PAM. On the server side, the telnet daemon does care about PAM, to the
extent that if kerberos authentication is being used, the pam module is
configured to be quiet. If the kerberos authentication is not used, then
telnet will both through the stack of pam modules, which includes the kerberos
module. So the user runs through the same set of PAM queries that he did when
he logged into his desktop.
I agree with those who say that attempting to structure PAM within a protocol
makes no sense. Instead, the protocol should be able to provide an
uninterpreted byte stream to the entity invoking the SSH client so that when
the SSH server runs through the PAM stack, PAM itself drives the user's
actions.
Keep in mind that PAM modules can pretty much do anything ... ask for the ids
and passwords of multiple people, interact with a local smart card, do
challengeg/response withor without a token card, act as an access control
feature ("if it's a full moon on Saturday, and its joe logging in, tell him
no"), a logging feature, etc. I'm skeptical that this general a feature
can be structuted.
-mre
