Struggles with PAM.

s_n jusnet at vp.pl
Mon Dec 4 16:17:53 UTC 2006


Hi,

First of all greets to all subscribers of this list as it's practicly my 
first post on it;]

I'm writing own authentication pam module. During my work I've 
encountered some frustrating and ridiculous situations, which were 
mainly an aftermath of the coherent specification lack. Furthermore 
there are no reliable sources of information including man pages, irc 
networks and web pages from developer's point of view. Few examples and 
lapidary descriptions won't do the work unfortunately. I whish PAM 
projects (Linux-PAM, OpenPAM, Solaris implementation etc.) documentation 
nearly as good as this one in OpenBSD (pitty that obsd hasn't got its 
own implementation of pam, maybe it would be the only one). But stop 
complaining and moving to meritum...

There are two basic assumptions about my pam module:
  - Platform independent as much as it is possible.
  - Implement Two Factor Authentication, which is simply 
challenge/response mechasnim in this case.

My first supprise writing this module was the variance between different 
pam implementations, where each has some own extensions. In linux-pam 
there are even differences between official pam library from kernel.org 
and this one installed on linux distribution, which is claimed to be the 
most secure one (maybe there are others as [k]ubuntu which base on this 
distro). In effect the code won't compile coz developers of this 
distribution, from reasons known only to themselves, didn't approved few 
extensions. This way PAM library will be in the future not only platform 
dependent but also will depend on a goodwill of the given distro 
developers, silly.

The second thing which is interesting in its madness is passing and 
reciving data between [pam_module <-> application <-> user].
There is well known pam_conv(3) mechanism used in almost all pam 
implementations but also there are dependent pam_prompt(3), pam_info(3), 
pam_get_authtok(3) etc. And here fun begins. Whatever function you'll 
use it can behave different with different services (e.g. with ssh you 
are able to display challenge and recive response via any function, but 
with ftp you can do nothing about it, what is the reason?).

To conclude somehow all my scribbles above:
- Is there any authority, which could set some standards about what 
basic PAM libraries functionality should be?

- Are there poeple who can give their free time and contribute to create 
some coherent pam docuentation which will be generic for the most 
popular pam implementations (I would)? Is it worth of effort anyway?

- Is it reasonable to use pam extensions by pam module developers as 
they are not mandatory to include into pam library by system/distro 
developers?

- Are there any suggestions about how to write independent pam module 
without writing different versions for every pam library implementation?

- Is it possible to display information to authenticated user, who logs 
via ftp or similar protocols (ftp works fine with "transparent" 
authentication modules but not with challenge/response ones).


At the very end, sorry for including so much mixed information in one post.

Sincerly,
Filip (s_n) Palian.




More information about the Pam-list mailing list