ssh public keys and pam

[Daniel Jacober]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> Ian Mortimer wrote:
>
>> This is not how ssh authentication works with public keys. What
>> happens is along this lines:
>
>
> I believe this is backwards.
>
>> the server sends a challenge to the client
>
>
> the server generates a challenge, and encrypts it with the public
> key (authorized_keys).
>
>> the client encrypts the challenge using the private key
>
>
> the client decrypts the encrypted challenge and sends it back,
> decryption requires the private key, not the public. Thus
> decrypting the challenge proves one possesses the private key.
>
>> the server decrypts the reply using the public key and tries to
>> match it against the challenge it sent.
>
>
> the server verifies the decrypted challenge sent back by the client
> is the same one it sent out. You can only encrypt with a public
> key, you cannot decrypt.
>
>> At no stage does the client send the public key to the server.
>
>
> true, the server already has the public key (its in
> authorized_keys). the client also never sends the private key to
> the server, it only sends the Comment string so the server knows
> which key in authorized_keys one wishes to use.

So Ian if I understand your posting right there's no way to pass this
to a PAM - Module
because it would require direct interaction between the PAM-Module and
the SSH - client.

The PAM - Module would have to play the ssh - Server sending an
encrypted challange
to the client requesting for authentication.

Is that right?

Regards Daniel
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDXXEL+Jpc4lzks7cRAkIRAJ4udZNxo4OSNcLPWO0BwLK5z0xUOACdHnW2
8MwLJ3wTzlBcfQJoF5mo4Lo=
=GwJ/
-----END PGP SIGNATURE-----