ssh public keys and pam
Ian Mortimer
ian at physics.uq.edu.au
Mon Oct 24 02:36:17 UTC 2005
On Fri, 2005-10-21 at 23:31 +0000, Daniel Jacober wrote:
> I don't agree. Here's how I believe it should work:
> - All users are registered in the LDAP directory including their
> public key.
> - A User wants to authenticate with SSH from a client to a server
> therefore he sends a public key.
> - The sshd on the target server recieves the key and sends it
> (with or without PAM) to an LDAP directory server (obviously some
> additional security must be implemented to communicate to the LDAP DS).
> - The directory server then compares the recieved public key to
> the one stored in the directory belonging to the user asking for
> authentication.
> - If authentication is ok the LDAP - DS sends auth ok back to the
> sshd which grants the user access to the system.
This is not how ssh authentication works with public keys.
What happens is along this lines:
the server sends a challenge to the client
the client encrypts the challenge using the private key
the server decrypts the reply using the public key and tries
to match it against the challenge it sent.
At no stage does the client send the public key to the server.
To use a public key from LDAP, the server would have to extract the
public key from the directory and use that to decrypt the client's
response to the challenge.
--
Ian
More information about the Pam-list
mailing list