ssh public keys and pam

Daniel Jacober daniel.jacober at gmail.com
Fri Oct 21 23:31:55 UTC 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

To Daren

I think you're right there's no way to get the public key information
into the PAM module.

>
> (the following refers to OpenSSH's sshd and may or may not apply to
>
other implementations.)
>
> Stanislav Sedov wrote:
>
>> It seems that SSH can't fetch keys using PAM or LDAP.
>
>
> For the vanilla distribution that's true. As others have
> mentioned,
there's patches to do this.
>
>> Furthermore, SSHd don't use PAM in case if user is
>> authentificating using public keys.
>
>
> That's not correct. Even if you're authenticating via public-key,
as long as UsePAM is enabled in sshd_config then pam_acct_mgmt(),
pam_setcred and pam_open_session() are still used.

Correct me if I'm wrong but according to PAM - Doc those are all PAM
app function. So there's no way in calling the public key in the module?

>
>> You must patch SSHd to fetch keys from LDAP, or write PAM module
>> that will communicate with ssh client and verify keys manually.
>> Probably, this can't be achived, because you must initiate key
>> exchange procedure with client.
>
>
> There's no mechanism for communicating public key information
between a PAM app and PAM modules (at least, none that I'm aware of,
and if there is one I would be interested in hearing about it).
>

I agree see my comment above.

>
>
> I am not an expert on SSH, but storing the public key in LDAP would
>
only allow you to authenticate the machine against the stored key in
LDAP.  I am a little bit in the dark as to how you would authenticate
the user this way, unless you had the user enter the passphrase used
to create the public key and use that as the PAM_AUTHTOK value.
>
> Perhaps some more information on it?

To Jason

I don't agree. Here's how I believe it should work:
    - All users are registered in the LDAP directory including their
public key.
    - A User wants to authenticate with SSH from a client to a server
therefore he sends a public key.
    - The sshd on the target server recieves the key and sends it
(with or without PAM) to an LDAP directory server (obviously some
additional security must be implemented to communicate to the LDAP DS).
    - The directory server then compares the recieved public key to
the one stored in the directory belonging to the user asking for
authentication.
    - If authentication is ok the LDAP - DS sends auth ok back to the
sshd which grants the user access to the system.

Now I know this isn't as easy as it sounds, but if you want to
administer several hundreds of servers this could be an easy and
completely open source way to centrally manage many users.

As it seems that using PAM isn't possible I will play around with the
SSH - LDAP patch mentioned by Eric in
https://www.redhat.com/archives/pam-list/2005-October/msg00040.html.
Up to now I wasn't able to integrate the patch although SSH compiled
correctly. I will just have to try again I guess :-).
If someone knows more about this patch or if someone comes up with a
hint regarding PAM I appreciate any help :-).

Thanks Daniel
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDWXpr+Jpc4lzks7cRAva1AJ9wh6k+WodIFY1sAQu+igTYDQxcPACgoeqM
zZFW/ge5aUGq+ghS2eXU9Yc=
=/ypu
-----END PGP SIGNATURE-----

More information about the Pam-list mailing list