IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Ambiguities in section 3.1 of the keyboard-interactive draft



Niels Möller wrote:
> Jeffrey Hutzelman <jhutz%cmu.edu@localhost> writes:

> If I remember the PAM docs right, it's fully possible to use the
> accounting and session setup stuff in PAM, without using the PAM
> authentication functions. Assuming I have this right, then behaviour
> you describe is just a stupid implementation quirk in openssh. And if
> I'm wrong, and it isn't possible to use PAM session and accounting
> management without also using PAM authentication, that just shows that
> the PAM API is badly designed.

The PAM API is terribly designed, poorly implemented and a very bad fit
for the SSH protocols. It really shouldn't be used as an example for
kbd-int.

BTW It is possible to use PAM authorization and session management
functions without the authentication functions (OpenSSH does this for
pubkey authentication, for example). In fact, most of the horror of the
PAM API is in its blocking conversation function, which is primarily
used in authentication. This conversation function is the worst
"impedance mismatch" between PAM and SSH.

-d



Home | Main Index | Thread Index | Old Index