[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: interaction of SSL and PAM



Ingo Luetkebohle wrote:
> Recently I wondered about a possible interaction of PAM and SSL. With
> the advent of client-side certs, certificates are increasingly used for
> authentication purposes. Unfortunately, current SSL enabled programs, if
> they support authentication, interact very badly (not at all, that is)
> with PAM. My current case-in-point is, of course, Apache-SSL.
> 
> How do the protocol schemes of SSL and PAM fit together? Could there be
> an interaction?
> 
> Any clues/information/work-in-progress?

And as if by magic... a (possible) solution appeared.  Andrey
(saw@msu.ru) and I have been working on a binary conversation
mechanism.  We got it working last week with ssh. ;) I intend to
release it in 0.63 and hopefully expect other people to make some
pretty impressive modules(for servers) + agents(for clients) to make
use of it.  Our current focus is an enhancement to PAM support in
secure shell, but I think the mechanism is so simple it will be usable
with most network oriented protocols.

The basic idea is to allow a new conversation type:
PAM_BINARY_PROMPT.  This conversation type transfers packets back and
forth from server to client.  The packet's form is:

	{ __u32 length_of_data, __u32 standard_control_token,
		data[length_of_data - 4] }.

On the client side, we have built a library that can flexibly run
client-side agents which read/write these packets through stdin and
stdout.

Andrey has also made a shared secret module/agent that will provide a
concrete example of how the mechanism works.  Someone in a country
less concerned with the distribution of cryptography will have to
implement standard RSA authentication etc. etc. .  I have not thought
about SSL, but I am hopeful that this will be accommodated by our
simple extension: all input is very welcome.

I intend to release 0.63 mid week.

BTW. I will probably be able to incorporate any patches for PAM that I
receive before Tuesday (lets say 11:30pm GMT).

Cheers

Andrew



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []