[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kerberos support in ssh/lsh

On Thu, Oct 05, 2000 at 10:56:15AM +0200, Niels Möller wrote:

> I couldn't do that. The interface of PAM is brain-damaged, and it is
> unusable for network authentication. (For an lsh-centric explanation
> why, see <URL: http://www.lysator.liu.se/~nisse/lsh/doc/NOTES>).

Let me argue that. The interface of PAM is not brain-damaged at all. It
is designed to provide _interactive_ _password-based_ authentication
services. It's quite true however that the SSH protocol does not support
interactive authentication at all (at least the 1.x versions do not; I
haven't looked at the 2.0 protocol closely yet). By saying that I mean
that the SSH protocol cannot be dynamically extended with message types
the client does not know about before - and that's what PAM does...

You write at the above URL that the PAM messages are not abstracted. Quite
the contrary, it is a completely abstract interface providing a method for
an authentication module to communicate with the user. It's the SSH protocol
that does not support such an abstraction level.

However, limited PAM support (using pam_authenticate only, no password
change support) is quite easy and is enough for the majority of users. And
even the password change can be hacked into SSH (not nice at all, but

So I would suggest using PAM and a Kerberos PAM module for authentication,
and provide some kind of support for ticket forwarding.


Gabor Gombas                                       Eotvos Lorand University
E-mail: gombasg@inf.elte.hu                        Hungary