[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Challenge-based authentication (Was: Re: binary prompts and pam limited by some other protocol)



> I had wanted to design a generic wrapper API for all those systems atop
> PAM w/ binary prompts. But that has gone nowhere. Although, the one
> example of binary prompts included in Linux-PAM is, in fact, a wrapper
> around a home-grown network authentication system based on shared
> secrets, so a bare-bones proof of concept exists.

I have been racking my brains for a solution to a similar problem, and
I am coming to the conclusion that PAM needs to be extended.

At the risk of being somewhat long-winded, let me illustrate the problem
with ftpd and a challenge-based authenticator like OPIE or S/Key.

What actually happens:

1) The ftpclient connects to the ftpserver.

2) The ftpclient obtains the username and sends "USER <username>"

3) The ftpclient obtains the password and sends "PASS <password>"

4) The ftpserver calls pam_authenticate().

What needs to happen:

1) The ftpclient connects to the ftpserver. (UNCHANGED)

2) The ftpclient obtains the username and sends "USER <username>" (UNCHANGED)

2a) The ftpserver calls pam_challenge() - a proposed function that calls
    all/any challenge functions that would/should use a conversation
    function to present appropriate challenges to the ftpclient.

3) The ftpclient obtains the password and sends "PASS <password>" (UNCHANGED)

4) The ftpserver calls pam_authenticate(). (UNCHANGED)

I have not thought about this for very long, so there are doubtless
fundamental flaws in the idea.

Comments? I could hack up a proof-of-concept of this in short order.

M
-- 
Mark Murray
Warning: this .sig is umop ap!sdn





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []