[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[no subject]



In the case of simple things like console login, the client
application is nothing more than a terminal emulator/driver and it is
easy to miss the idea that this "application" may wish to communicate
information to the server application.

In other things like telnet, ftp and secure shell, the client
application is much more sophisticated.  Indeed, as the client
programs for these networked applications have been used in the past,
they provide a significant amount of authentication support.  In this
light, it is clear that unless these clients provide some form of
pluggability, PAM is always going to be trying to change the world
with its shoelaces tied together!  As we have seen, a lack of
pluggability in the clients has lead to problems integrating PAM
support into traditional protocols like ftp.

So, sitting at the helm of Linux-PAM (I may not be a qualified captain
but I have been trying to keep it a float ;), I have been thinking for
some time about what is missing and what is needed.  I have wanted to
make a _small_ change that will retain the authentication scheme
independence of libpam yet enable it to accommodate non-password based
authentication schemes.  I think we (Andrey Savochkin and I) have
finally made some progress.

The solution is simply to add another conversation type: the binary
message type, PAM_BINARY_MESG.  This is something that describes a
data packet created by a PAM module and passed by the server
application (through the conversation mechanism) directly to the
client.  We have been experimenting with this idea and have found it
is capable of turning ssh into a truly pluggable application.

The source code for this (it actually changes nothing in libpam) will
be in Linux-PAM-0.63.  Its basically little more than a "convention"
and a helpful support library (tentatively named libpam_client) which
adds some pluggable support to applications in a generic manner.

When I release the code, later this week, I'd be very interested to
see if it can be used to help interface PAM with the GSS-API and/or
full Kerberos.  I am confident that ssh can be well supported by it:
we already have the code for that...

Cheers

Andrew



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []