Among the forest of all available PAM modules in standard linux distros,
I was unable to identify the one I should use to fulfill my need:
I'm developing a client/server application that needs authentication.
I'd like this authentication to be handled by PAM. For instance, if I
want to rely on linux shadow passwords for existing accounts, I'll have
my server belong to the "shadow" group and use the "auth-common" module.
So far, so good.
But I cannot use SSL or TLS for the client/server protocol, so I have to
encrypt the user password. In such situations, I'd usually have the
server send a one-time challenge, and the client respond
sha1(pass+challenge). Or, if the pass is itself encrypted in the
database, let say by some hash() function, the client would answer
sha1(hash(pass)+challenge), and the server, knowing the real pass, can
My understanding is that I *have* to give the provided password as is to
PAM, because I don't have any mean of telling PAM *how* it should be
compared to the stored password. Put it in another way, I cannot tell
PAM "here is my <challenge>, the user provided
<sha1(hash(pass)+challenge)>, please check that".
And so, it means the only solution is to encrypt the password with a
reversible encryption function and not with a hash. Am I right?
Pam-list mailing list