From owner-cvs-all Mon Mar 18 11:46:55 2002 Delivered-To: cvs-all@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id B571F37B400; Mon, 18 Mar 2002 11:46:50 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.11.4/8.11.6) id g2IJkmT34221; Mon, 18 Mar 2002 14:46:48 -0500 (EST) (envelope-from wollman) Date: Mon, 18 Mar 2002 14:46:48 -0500 (EST) From: Garrett Wollman Message-Id: <200203181946.g2IJkmT34221@khavrinen.lcs.mit.edu> To: Dag-Erling Smorgrav Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/crypto/openssh auth-skey.c In-Reply-To: References: <200203181059.g2IAxfH5001916@grimreaper.grondar.org> Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG < said: > was still true of OpenSSH 2.9 but is no longer true of OpenSSH 3.1, > which has an elaborate mechanism for defining new authentication > methods (gee, you'd think they'd heard of PAM...) Category error. PAM's authentication model is designed for interacting with humans. The secure shell protocol's authentication protocol is designed for interacting with other programs, which may or may not be acting on behalf of humans. (See also GSS-API, SASL, EAP, etc.) Users are unlikely to be performing public-key authentication at a login prompt. The protocol provides the `keyboard-interactive' authentication method for the use of PAM-like interfaces, which certainly looks like the Right Thing to me. I can't speak for whether the PAM code in auth2-pam.c is actually sensible or not. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message