ssh public keys and pam
Darren Tucker
dtucker at zip.com.au
Fri Oct 21 01:52:07 UTC 2005
(the following refers to OpenSSH's sshd and may or may not apply to
other implementations.)
Stanislav Sedov wrote:
> It seems that SSH can't fetch keys using PAM or LDAP.
For the vanilla distribution that's true. As others have mentioned,
there's patches to do this.
> Furthermore,
> SSHd don't use PAM in case if user is authentificating using
> public keys.
That's not correct. Even if you're authenticating via public-key, as
long as UsePAM is enabled in sshd_config then pam_acct_mgmt(),
pam_setcred and pam_open_session() are still used.
> You must patch SSHd to fetch keys from LDAP, or write PAM module
> that will communicate with ssh client and verify keys manually.
> Probably, this can't be achived, because you must initiate
> key exchange procedure with client.
There's no mechanism for communicating public key information between a
PAM app and PAM modules (at least, none that I'm aware of, and if there
is one I would be interested in hearing about it).
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the Pam-list
mailing list