[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: draft-ietf-secsh-userauth-01.txt (fwd)



> I read it. It is moving towards a more easily PAMifiable model, but it is,
> as the author (cc'd on this) says:
> > Authentication is mostly client-driven.  The client sends an
> > authentication request, and the server responds with success or failure.
>
> This is 180 degrees contrary to the PAM model, which has the server asking
> the client for the appropriate auth tokens.
> 
> If it is possible to have the rhosts-style of authentication always be
> tried before password authentication, then we can store the rhosts info on
> an rhosts try, always fail the rhosts try, and pass the rhosts info in
> with a pam_authenticate() call when password authentication is tried. 

I'm not very very familiar with the way PAM works.

However, in the new protocol the server actually drives the
authentication process.  Whenever a request fails, it lists the
authentication methods that might productively continue the dialog.
The server's policy may dictate that other authentications can be
tried only after "pam" authentication.  Or, the client's policy might
say that "pam" authentication is tried before any other
authentications if the server is willing to accept it.

I've clarified the wording of the draft regarding the authentication
process being client-driven.

I'd appreciate if someone can tell me what it would take to add "pam"
as an authentication method (or multiple methods if appropriate).
Ideally, someone could write a section on the pam authentication
methods to be included in the draft.

    Tatu



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []