[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SSH and Linux-PAM?



[Mumble from the back room.. I've been reworking this ssh patch to be a
little simpler. My primary motivation is to use it as a test vehicle for
a fingerprinting authentication device I was given by the "American
Biometric Company". When I have that working, it should be trivial for
someone in the free world to code up an RSA PAM-module/agent pair. I
don't see PAM supporting non-PAM-agent aware ssh-clients, but I guess
this is an evolution thing.]

Cheers

Andrew

Stephen Langasek wrote:
> 
> On 11 Jun 1999, Steve Dunham wrote:
> 
> > > After some investigation, this is exactly what is happening.  Users
> > > are able to get around PAM through an rhosts file.  In our
> > > application, it is necessary to have rhosts authentication.  So the
> > > question is, where can I find a pamified SSH that doesn't have this
> > > problem.  I.e, one that uses PAM when doing password-based
> > > authentication as well as when authenticating using an RSA key or an
> > > rhosts file?
> 
> > IIRC, there is an option in /etc/ssh/sshd_config that lets you disable
> > this "feature".
> 
> It's possible to set ssh up to do password-only authentication, in which
> case it passes control to PAM; however, if handled this way, I believe
> that sshd (at least in all currently available implementations) concludes
> that RSA authentication is not supported, and informs the client of this.
> The result is that the client never tries to send RSA keys, so even if you
> have a PAM module that supports them, you won't be able to use it.
> 
> It would certainly be nice if it /was/ possible, tho...
> 
> -Steve Langasek
> postmodern programmer
> 
> --
> To unsubscribe: mail -s unsubscribe pam-list-request@redhat.com < /dev/null



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []