We ported OpenSSH's authentication to Pluggable Non-Interactive
Authentication Modules (PNIAM).
PNIAM is a development effort carried out under GPL in Moscow State
University.
Pluggable Non Interactive Authentication Modules provide applications with
a
generic interface to authentication related functions. Actions to be done
for each
authentication request are specified by a system administrator in terms of
dynamically
loaded modules. PNIAM design incorporates best ideas of PAM (Pluggable
Authentication
Modules) project. The main difference between PAM and PNIAM is the target.
The main
target of PNIAM is a clear and reliable authentication scheme for Internet
servers.
Internet protocols usually specify a fixed set of requests and replies
between the server
and the client. It makes the interactive authentication hardly possible.
PNIAM deals with
a set of requests and replies rather than interacts with the user. That's
why words
``Non Interactive'' are in the name.
Request and replies are exchanged using lists of named items.
PNIAM runs on Linux, but it has a generic architecture that allows to port
it to other
systems, too. AAA modules are system-specific or generic.
We provide variety of authentication, authorization, and accounting modules.
Authentication: Using /etc/passwd, /etc/shadow; plain
password, challenge - response,
OTP using separate user database;
Authorization: Dealing with /etc/passwd, setting chroots, providing
access according to
time/terminal name/host name;
Accounting: Dealing with lastlog and utmp;
Authentication token Simple checks, cracklib;
validation:
Miscellaneous: pniam_rootok, pniam_count,pniam_nologin, pniam_allow
and pniam_deny.
We also incorporated PNIAM support in a quite a few, but important
applications:
- login
- passwd
- su
- chfn
- vlock
- FTP
- RADIUS
- OpenSSH
We consider OpenSSH as a crucial component of PNIAM-aware infrastructure. We
ported all
authentication schemes supported in OpenSSH 2.3.1p1: SSH1, SSH2 including
keyboard-interactive,
(although discussion with Martin Forssen showed that our implementation is
somewhat incorrect).
OpenSSH's port is used on a experimetal cluster system at MSU. It appears to
be stable and reliable.
>From a technical point of view most of the changes are stored in separate
files. They also contain
modified versions of auth_: functions. Configure.in script is amended in a
way that it links PNIAM-aware
files instead of conventional ones if either -with-pniam is specified or
pniam.h is found. There are
also quite a few places where we ifdef-ed our changes into the main code
trunk:
- OpenSSH requires from a user to be present in /etc/passwd. This is
not true in PNIAM, because
an authentication stack is the only decider about authentication
success / failures.
- This principle also eliminates the need in sshd_config's
configuration parameters dealing
with authentication. As a consequence the server advertises itself
as supporting all known
authentication schemes. The server does not disclose information
about valid authentication
methods.
- All user credentials are retrieved from PNIAM authorization stack
instead from /etc/passwd
- Accounting is done through PNIAM's accounting stack, not by the
server itself.
We believe that PNIAM provides Internet community with clear and reliable
AAA architecture. Thus, it
contributes benefits for all authentication-requiring applications. From our
point of view there are
mutual gains for PNIAM and OpenSSH, too.
We would like to know whether it is possible to incorporate our changes in
OpenSSH code trunk.
PNIAM home page is at http://www.msu.ru/pniam.html
OpenSSH port is at http://libraftp.narod.ru/pniam.html
Alexey Galatenko <agalat at castle.nmd.msu.ru>
Maxim Shesterikov <shesmax at ru.hilti.com>
Andrey Savochkin <saw at saw.sw.com.sg>