-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Ian Mortimer wrote: > >> This is not how ssh authentication works with public keys. What >> happens is along this lines: > > > I believe this is backwards. > >> the server sends a challenge to the client > > > the server generates a challenge, and encrypts it with the public > key (authorized_keys). > >> the client encrypts the challenge using the private key > > > the client decrypts the encrypted challenge and sends it back, > decryption requires the private key, not the public. Thus > decrypting the challenge proves one possesses the private key. > >> the server decrypts the reply using the public key and tries to >> match it against the challenge it sent. > > > the server verifies the decrypted challenge sent back by the client > is the same one it sent out. You can only encrypt with a public > key, you cannot decrypt. > >> At no stage does the client send the public key to the server. > > > true, the server already has the public key (its in > authorized_keys). the client also never sends the private key to > the server, it only sends the Comment string so the server knows > which key in authorized_keys one wishes to use. So Ian if I understand your posting right there's no way to pass this to a PAM - Module because it would require direct interaction between the PAM-Module and the SSH - client. The PAM - Module would have to play the ssh - Server sending an encrypted challange to the client requesting for authentication. Is that right? Regards Daniel -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDXXEL+Jpc4lzks7cRAkIRAJ4udZNxo4OSNcLPWO0BwLK5z0xUOACdHnW2 8MwLJ3wTzlBcfQJoF5mo4Lo= =GwJ/ -----END PGP SIGNATURE----- _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
