> I had wanted to design a generic wrapper API for all those systems atop
> PAM w/ binary prompts. But that has gone nowhere. Although, the one
> example of binary prompts included in Linux-PAM is, in fact, a wrapper
> around a home-grown network authentication system based on shared
> secrets, so a bare-bones proof of concept exists.
I have been racking my brains for a solution to a similar problem, and
I am coming to the conclusion that PAM needs to be extended.
At the risk of being somewhat long-winded, let me illustrate the problem
with ftpd and a challenge-based authenticator like OPIE or S/Key.
What actually happens:
1) The ftpclient connects to the ftpserver.
2) The ftpclient obtains the username and sends "USER <username>"
3) The ftpclient obtains the password and sends "PASS <password>"
4) The ftpserver calls pam_authenticate().
What needs to happen:
1) The ftpclient connects to the ftpserver. (UNCHANGED)
2) The ftpclient obtains the username and sends "USER <username>" (UNCHANGED)
2a) The ftpserver calls pam_challenge() - a proposed function that calls
all/any challenge functions that would/should use a conversation
function to present appropriate challenges to the ftpclient.
3) The ftpclient obtains the password and sends "PASS <password>" (UNCHANGED)
4) The ftpserver calls pam_authenticate(). (UNCHANGED)
I have not thought about this for very long, so there are doubtless
fundamental flaws in the idea.
Comments? I could hack up a proof-of-concept of this in short order.
M
--
Mark Murray
Warning: this .sig is umop ap!sdn
