Hi, The attached patch is a merge of Dag-Erling Smorgrav's PAM support for OpenSSH (from FreeBSD). IMO it is a good deal cleaner than the existing PAM code and I'd like to see it imported soon. The code removes the existing PAM password authentication in favor of doing it all via keyboard-interactive. The diff therefore removes the PAMAuthenticationViaKbdInt config item. It also has support for POSIX threads, which is needed (I'm told) for modules like pam_krb5. I have tested this with my basic PAM config, but the patch doesn't include the configure glue to make it work. Since this is a disruptive change, I'd like to get some testing and feedback before committing. Please give the attached patch a try on as many platforms as possible (as many PAM configs as possible too). FYI to those who want to read, but not apply the patch: the file auth-pam.c is completely replaced and is therefore pretty unreadable in the diff. The new version is also attached for your perusal. -d -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-pam.diff Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030110/38632072/attachment.ksh -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: auth-pam.c Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030110/38632072/attachment.c
On Fri, Jan 10, 2003 at 12:44:51PM +1100, Damien Miller wrote:> It also has support for POSIX threads, which is needed (I'm told) for > modules like pam_krb5. I have tested this with my basic PAM config, but > the patch doesn't include the configure glue to make it work.Having written a pam_krb5 myself, I find this hard to believe. The krb5 libs themselves do not have any thread support are not thread-safe. The PAM library itself does not even support threads (each thread must have it's own PAM handle). Besides, sshd is single-threaded. Having not looked at the patch, though, I shouldn't be so quick to slam it. I like the idea of only doing PAM via kbdint, but that's not going to work for a very large number of people. /fc