[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: non-interactive authentications...



On Tue, Aug 18, 1998 at 12:53:37AM -0600, Haripriya S wrote:
> > PAM is designed for the interactive authentication.
> > PAM modules give a prompt and ask what they want.
> > It supposes that a human will answer because it's hard to write a software
> > giving reasonable answers on arbitrary and unpredictable questions.
> 
> > There are some approaches to use PAM for fixed protocols like FTP
> > or POP but the approaches abuse the interactive and "module-centric" nature
> > of PAM.
> 
> That is not entirely true. The very purpose of providing the 
> ability to use application specified conversion functions is
> to let the application decide how to get its inputs ( either 

Conversation function is introduced to display the prompt
and read the answer in the current environment: via a box
in GUI or just printing the prompt or making an appropriate request
to the peer in the case of a remote session.

> inteactively or non-interactively). So as an application I can
> write a conversation function that may even read from a file
> and then return the pam_resp->resp structures corresponding
> to the message styles PAM_PROMPT_ECHO_ON (username)
> and PAM_PROMPT_ECHO_OFF (password). You can also 

WHY do you guess that PAM_PROMPT_ECHO_ON question is a question
about username?

All applications that assume it are completely broken from PAM point
of view because they break the main goal of PAM - pluggability.

Any module is allowed to ask you with echo turned on your first
name, your last name, your birthday and with echo turned off
the name of your girl friend (for authentication purposes of course :-)

The fact that a plenty of applications using PAM are broken by design
only shows that PAM as it is doesn't satisfy developer's needs.

> set the name of the user when you call pam_start. Thus if the 
> application would call pam_start with the appropriate 
> conversation function parameter, and then directly call pam_authenticate(), then pam will take care of getting the username and password *using*  the way the application wants 
> it (either from a user, or opening a connection and reading from 
> the client, or even directly from a file).

Best regards
					Andrey V.
					Savochkin



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []