[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: ssh & opie



Andrew Morgan and I have spent more than a month trying to implement
the full PAM support in ssh.  My goal was to make sshd worked with full
range of authentication schemes including RSA under the PAM control.
We implemented binary prompts in PAM library and libpam_client library
to handle binary PAM messages on the client side.

I wasn't satisfied by our results.  Sshd code looks as a real mess
in authentication functions because the authors want to support
every authentication kludge for every OS.  My PAM additions make the
code looks worse.

I suppose that the new API for pluggable modules (PNIAM)
which I have announced recently should make the use of pluggable
authentication modules for sshd more easy to implement.

Does anybody want to volunteer for the implementation?

Best wishes
					Andrey V.
					Savochkin

On Sun, Nov 22, 1998 at 08:08:08PM -0600, Aleph One wrote:
> Jan,
> 
>   First, thanks for maintaing the ssh rpms. They've come in handy many
> times. As you may know even with PAM support ssh only supports "password"
> authentication as the protocol lacks a conversation or pluggability
> feature. For a long time people, myself included, have wanted to use ssh
> with some time of one time password system such as S/KEY or OPIE. OPIE is
> already supported via a PAM module but the ssh PAM patch simply ignores
> the PAM_TEXT_INFO message with the challenge information. If you change
> the line in the patch that constains "/* ignore it... */" to
> "packet_send_debug(msg[count]->msg);" its possible to use ssh, pam and
> opie together.
> 
>   After compiling the server and configuring the opie pam module all the
> client has to do is be run like:
> 
> "ssh -v -o "NumberOfPasswordPrompts 2" <hostname>"
> 
>   The user will need to enter a dummy password, then the challenge will be
> displayed by the client in the debug messages, and he can enter the
> responce the second time the client prompts it for a password.
> 
>   Its not pretty but it works. Now if only this free windows ssh client
> would display debugin information...



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []