On Sun, 7 Feb 1999, Jean Chouanard wrote:
> At 08:15 AM 2/7/99 -0800, someone using Andrew Morgan's login wrote:
> > a. add some generic message exchange types to the client and the
> >server (echo'd prompt, invisible prompt, binary prompt (raw data
> >exchange) etc..)
> Yes and this has to be properly defined to be generic enough so that it
> will stable in the future. Piece of cake! :-)
I must admit I am no expert on PAM, but from what I can see there are
two distinctive modes. One where it expects to talk to an user and one
where it expects to talk to some program (via the PAM_BINARY... messages).
Implementing the first one is simple and only needs one simple
modification of my draft (addition of a message packet from server to
client witha bit to indicate error). Since the replies are expected to be
retreived from teh user the client does not need to know anything special.
The second one is tougher. The one thing I haven't found anything about in
the documents I have read is that how does the client know which module to
use? I might sit at a client with a smartcard reader, a retinal scanner
and a fingerprint reader. How do the client know which to use?
> It's important to keep all the existing authentication protocols without
> any changes for compatibility reason.
Yes Amen etc. This is imperative.
> Also, it is a nice option to have, as a fallback protocol, a predefined
> authentication protocol, to be used if the client does not support the
> *new* generic authentication.
It is also a requirement of the ssh2 protocol (the publickkey
authentication is required).
> >[Why, given the choice, anyone would not actually want to use PAM I'd be
> >interested to discuss (off line).]
I guess that is a good topic for some beers:-)
/MaF
