Struggles with PAM.
s_n
jusnet at vp.pl
Mon Dec 4 16:17:53 UTC 2006
Hi,
First of all greets to all subscribers of this list as it's practicly my
first post on it;]
I'm writing own authentication pam module. During my work I've
encountered some frustrating and ridiculous situations, which were
mainly an aftermath of the coherent specification lack. Furthermore
there are no reliable sources of information including man pages, irc
networks and web pages from developer's point of view. Few examples and
lapidary descriptions won't do the work unfortunately. I whish PAM
projects (Linux-PAM, OpenPAM, Solaris implementation etc.) documentation
nearly as good as this one in OpenBSD (pitty that obsd hasn't got its
own implementation of pam, maybe it would be the only one). But stop
complaining and moving to meritum...
There are two basic assumptions about my pam module:
- Platform independent as much as it is possible.
- Implement Two Factor Authentication, which is simply
challenge/response mechasnim in this case.
My first supprise writing this module was the variance between different
pam implementations, where each has some own extensions. In linux-pam
there are even differences between official pam library from kernel.org
and this one installed on linux distribution, which is claimed to be the
most secure one (maybe there are others as [k]ubuntu which base on this
distro). In effect the code won't compile coz developers of this
distribution, from reasons known only to themselves, didn't approved few
extensions. This way PAM library will be in the future not only platform
dependent but also will depend on a goodwill of the given distro
developers, silly.
The second thing which is interesting in its madness is passing and
reciving data between [pam_module <-> application <-> user].
There is well known pam_conv(3) mechanism used in almost all pam
implementations but also there are dependent pam_prompt(3), pam_info(3),
pam_get_authtok(3) etc. And here fun begins. Whatever function you'll
use it can behave different with different services (e.g. with ssh you
are able to display challenge and recive response via any function, but
with ftp you can do nothing about it, what is the reason?).
To conclude somehow all my scribbles above:
- Is there any authority, which could set some standards about what
basic PAM libraries functionality should be?
- Are there poeple who can give their free time and contribute to create
some coherent pam docuentation which will be generic for the most
popular pam implementations (I would)? Is it worth of effort anyway?
- Is it reasonable to use pam extensions by pam module developers as
they are not mandatory to include into pam library by system/distro
developers?
- Are there any suggestions about how to write independent pam module
without writing different versions for every pam library implementation?
- Is it possible to display information to authenticated user, who logs
via ftp or similar protocols (ftp works fine with "transparent"
authentication modules but not with challenge/response ones).
At the very end, sorry for including so much mixed information in one post.
Sincerly,
Filip (s_n) Palian.
More information about the Pam-list
mailing list