Re: Is it possible to avoid PAM calls for key based Auth methods
On Wed, Feb 16, 2005 at 02:03:07PM +1100, Darren Tucker wrote:[color=blue]
> Nicolas Williams wrote:[color=green]
> >You really don't want to do this as this means making modules aware of
> >ssh protocol specific details just so you can configure each ssh
> >authentication method differently.[/color]
>
> Yeah, but not being responsible for the PAM stacks I don't care so much
> about that :-) Seriously, this just points out how limited the PAM
> configuration mechanism is.[/color]
I don't agree.
[color=blue][color=green][color=darkred]
> >>- sshd could use different PAM service names for the different auth
> >>types. (eg "sshd-public-key", "sshd-password", "sshd-gssapi-with-mic"
> >> and fall back to "sshd" if these don't exists. This would probably be
> >>tricky to write because you'd have to stop and start PAM for each auth
> >>attempt.)[/color]
> >
> >Solaris 10's sshd does this. See:[/color]
>
> Will it attempt to fall back to "sshd" if the specific PAM service does
> not exist (or do you just end up with "other")?[/color]
PAM doesn't provide a way to detect what services are configured, so it
falls back on "other."
[color=blue][color=green]
> >The service names it uses are:
> >
> > - sshd-none
> > - sshd-password
> > - sshd-kbdint
> > - sshd-pubkey
> > - sshd-hostbased
> > - sshd-gssapi (for both, gssapi-keyex and gssapi-with-mic)
> >
> >You might want to use those too...[/color]
>
> Those do not agree with the defaults in the ssh_config(4) man page (at
> least the one online at
> [url]http://docs.sun.com/app/docs/doc/816-5174/6mbb98uk5?a=view[/url])[/color]
sshd_config(4)'s reference to "PamSvcFor*" is incorrect. A man page bug
was filed recently about this. See sshd(1M) instead:
[url]http://docs.sun.com/app/docs/doc/816-5166/6mbb1kqh7?a=view[/url]
[color=blue]
> (On an unrelated note I see MaxAuthTries and MaxAuthTriesLog are still
> undocumented...)[/color]
Indeed. I'll file a bug report.
Nico
--
_______________________________________________
openssh-unix-dev mailing list
[email]openssh-unix-dev@mindrot.org[/email]
[url]http://www.mindrot.org/mailman/listinfo/openssh-unix-dev[/url]
