Re: Ambiguities in section 3.1 of the keyboard-interactive draft

[nisse%lysator.liu.se@localhost (Niels Möller)]

Jeffrey Hutzelman <jhutz%cmu.edu@localhost> writes:

> as for accounting and session management.  OpenSSH implements
> keyboard-interactive using PAM, but it does _not_ implement "password"
> that way.  This means that if you expect to use PAM to authenticate
> user logins, then the server must be configured not to support
> "password".

If I remember the PAM docs right, it's fully possible to use the
accounting and session setup stuff in PAM, without using the PAM
authentication functions. Assuming I have this right, then behaviour
you describe is just a stupid implementation quirk in openssh. And if
I'm wrong, and it isn't possible to use PAM session and accounting
management without also using PAM authentication, that just shows that
the PAM API is badly designed.

I'm quite uncomfortable with this strong coupling between
keyboard-interactive and PAM. The way it is used on these PAM systems
implies that there are two different flavors of the protocol: PAM-less
systems implement userauthentication according to the userauth draft,
PAM systems do it according to the keyboard-interactive draft. And
then clients implementing the userauth draft (but not
keyboard-interactive, which I'd consider more experimental and less
mature), won't interoperate with the latter type of servers.

Regards,
/Niels