Senthil Kumar
2005-Feb-15 05:26 UTC
Is it possible to avoid PAM calls for key based Auth methods
Hello All, Im using OpenSSH-3.9p1 configured for PAM,krb etc.. When I use Key based auth methods such as Public key,gssapi etc, this skips the pam_authenticate() call and directly calls pam_acct_mgmt(). This results in a failed attempt with few of my own PAM modules. Is there any way to implement this facility to be controlled by a directive in sshd_config. I mean PAM calls should not be called for key based Auth methods, however they should be obeyed for Interactive auth methods such as kbdint,password. Thanks for help, Senthil Kumar. --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.791 / Virus Database: 535 - Release Date: 11/9/2004
Darren Tucker
2005-Feb-15 05:56 UTC
Is it possible to avoid PAM calls for key based Auth methods
Senthil Kumar wrote:> Im using OpenSSH-3.9p1 configured for PAM,krb etc.. When I use Key based > auth methods such as Public key,gssapi etc, this skips the > pam_authenticate() call and directly calls pam_acct_mgmt(). This results > in a failed attempt with few of my own PAM modules. Is there any way to > implement this facility to be controlled by a directive in sshd_config.No, there's no way to avoid that without hacking sshd. You wanted PAM, you got PAM :-) Potentially, sshd could do a couple of things to the auth type to PAM so it could behave differently: - sshd could set a PAM environment variable containing the authentication type. (Although PAM's configuration syntax is pretty limited. You could have a "sufficient" module early in the stack that returns immediately if that variable is set to, eg "public-key"). - sshd could use different PAM service names for the different auth types. (eg "sshd-public-key", "sshd-password", "sshd-gssapi-with-mic" and fall back to "sshd" if these don't exists. This would probably be tricky to write because you'd have to stop and start PAM for each auth attempt.)> I mean PAM calls should not be called for key based Auth methods,I disagree with that for the general case: there's many valid reasons to call the non-auth PAM functions for non-password auths (eg account expiry, session modules). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.