Re: Ambiguities in section 3.1 of the keyboard-interactive draft

To: Niels Möller <nisse%lysator.liu.se@localhost>
Subject: Re: Ambiguities in section 3.1 of the keyboard-interactive draft
From: Damien Miller <djm%mindrot.org@localhost>
Date: Wed, 29 Sep 2004 10:51:43 +1000

Niels Möller wrote:
> Jeffrey Hutzelman <jhutz%cmu.edu@localhost> writes:

> If I remember the PAM docs right, it's fully possible to use the
> accounting and session setup stuff in PAM, without using the PAM
> authentication functions. Assuming I have this right, then behaviour
> you describe is just a stupid implementation quirk in openssh. And if
> I'm wrong, and it isn't possible to use PAM session and accounting
> management without also using PAM authentication, that just shows that
> the PAM API is badly designed.

The PAM API is terribly designed, poorly implemented and a very bad fit
for the SSH protocols. It really shouldn't be used as an example for
kbd-int.

BTW It is possible to use PAM authorization and session management
functions without the authentication functions (OpenSSH does this for
pubkey authentication, for example). In fact, most of the horror of the
PAM API is in its blocking conversation function, which is primarily
used in authentication. This conversation function is the worst
"impedance mismatch" between PAM and SSH.

-d

References:
- Re: Ambiguities in section 3.1 of the keyboard-interactive draft
  - From: Peter Gutmann
- Re: Ambiguities in section 3.1 of the keyboard-interactive draft
  - From: Jeffrey Hutzelman
- Re: Ambiguities in section 3.1 of the keyboard-interactive draft
  - From: Niels Möller

Prev by Date: Re: Ambiguities in section 3.1 of the keyboard-interactive draft
Next by Date: Re: Ambiguities in section 3.1 of the keyboard-interactive draft
Previous by Thread: Re: Ambiguities in section 3.1 of the keyboard-interactive draft
Next by Thread: Re: Ambiguities in section 3.1 of the keyboard-interactive draft
Indexes:

Home | Main Index | Thread Index | Old Index