Re: Is it possible to avoid PAM calls for key based Auth methods

On Wed, Feb 16, 2005 at 02:03:07PM +1100, Darren Tucker wrote:
> Nicolas Williams wrote:
> >You really don't want to do this as this means making modules aware of
> >ssh protocol specific details just so you can configure each ssh
> >authentication method differently.
>
> Yeah, but not being responsible for the PAM stacks I don't care so much
> about that :-) Seriously, this just points out how limited the PAM
> configuration mechanism is.

I don't agree.

> >>- sshd could use different PAM service names for the different auth
> >>types. (eg "sshd-public-key", "sshd-password", "sshd-gssapi-with-mic"
> >> and fall back to "sshd" if these don't exists. This would probably be
> >>tricky to write because you'd have to stop and start PAM for each auth
> >>attempt.)
> >
> >Solaris 10's sshd does this. See:
>
> Will it attempt to fall back to "sshd" if the specific PAM service does
> not exist (or do you just end up with "other")?

PAM doesn't provide a way to detect what services are configured, so it
falls back on "other."

> >The service names it uses are:
> >
> > - sshd-none
> > - sshd-password
> > - sshd-kbdint
> > - sshd-pubkey
> > - sshd-hostbased
> > - sshd-gssapi (for both, gssapi-keyex and gssapi-with-mic)
> >
> >You might want to use those too...
>
> Those do not agree with the defaults in the ssh_config(4) man page (at
> least the one online at
> http://docs.sun.com/app/docs/doc/816...bb98uk5?a=view)

sshd_config(4)'s reference to "PamSvcFor*" is incorrect. A man page bug
was filed recently about this. See sshd(1M) instead:

http://docs.sun.com/app/docs/doc/816...bb1kqh7?a=view

> (On an unrelated note I see MaxAuthTries and MaxAuthTriesLog are still
> undocumented...)

Indeed. I'll file a bug report.

Nico
--

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://www.mindrot.org/mailman/listi...enssh-unix-dev