PAM module for client/server application

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Among the forest of all available PAM modules in standard linux distros, I was unable to identify the one I should use to fulfill my need:

I'm developing a client/server application that needs authentication. I'd like this authentication to be handled by PAM. For instance, if I want to rely on linux shadow passwords for existing accounts, I'll have my server belong to the "shadow" group and use the "auth-common" module. So far, so good.

But I cannot use SSL or TLS for the client/server protocol, so I have to encrypt the user password. In such situations, I'd usually have the server send a one-time challenge, and the client respond sha1(pass+challenge). Or, if the pass is itself encrypted in the database, let say by some hash() function, the client would answer sha1(hash(pass)+challenge), and the server, knowing the real pass, can check authentication.

My understanding is that I *have* to give the provided password as is to PAM, because I don't have any mean of telling PAM *how* it should be compared to the stored password. Put it in another way, I cannot tell PAM "here is my <challenge>, the user provided <sha1(hash(pass)+challenge)>, please check that".

And so, it means the only solution is to encrypt the password with a reversible encryption function and not with a hash. Am I right?



Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux