If anyone is interested in integrating it into ssh2, there is an old
piece of prototype code for adding complete PAM support to ssh1 (client
and server) here:
ftp://ftp.kernel.org/pub/linux/libs/pam/pre/applications/ssh-PAM-patch.2.tar.gz
If enough people were to make the statement that they'd like to see this
type of thing supported by ssh2, and someone wants to offer me a little
help, I'd be willing to forward port this patch.
I happen to know that this patch is happily used by a number of people,
and I believe that more would want to use it, if it was part of the
official distribution.
Cheers
Andrew
Frank Cusack wrote:
>
> In message <>,
> Martin Forssen writes:
> > ---2137996019-851401618-918144200=:24784
> > Content-Type: TEXT/plain; charset=us-ascii
> >
> > Attached below follows a proposal for a new authentication method for
> > SSH2. This new method implements general challenge-response
> > authentication.
> >
>
> I think that a better method would be one that I proposed earlier. :)
> I have implemented it for ssh1 already. I call it "password-plus".
> [I haven't implemented it for ssh2 due to licensing restrictions.]
>
> The "problem" with the "challenge-response" method is that the server
> may not know ahead of time (ie, solely from the username) if a user
> requires challenge-reponse or standard password auth. eg. when PAM
> is used as the backend.
>
> Of course, if the user only requires password auth, no harm, no foul;
> the "challenge" is simply the password request and the response is
> simply the password. But, personally, I'd rather that the name be
> more indicative that this is a generalized authentication, and
> /not neccessarily/ challenge-response.
>
> Another problem is if multiple challenges are required.
>
> Another useful generalization is to support multiple messages in
> a single "challenge". As an example, if the backend (eg PAM) is requesting
> a password change and wants to prompt the user twice for the new
> password, both prompts would be in a single "challenge" message.
> A GUI client could then display both prompts in a single window.
>
> I have the original text of my proposal around here somewhere if anyone
> is interested, however the last time I proposed it I got no responses.
>
> ~frank
