Date: Wed, 24 May 2000 21:01:01 -0400 (EDT) From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu> To: Kris Kennaway <kris@FreeBSD.org> Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/crypto/openssh sshd_config Message-ID: <200005250101.VAA83975@khavrinen.lcs.mit.edu> In-Reply-To: <Pine.BSF.4.21.0005241518170.24095-100000@freefall.freebsd.org> References: <392C3E40.E0D8974D@vangelderen.org> <Pine.BSF.4.21.0005241518170.24095-100000@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
<<On Wed, 24 May 2000 15:19:54 -0700 (PDT), Kris Kennaway <kris@FreeBSD.org> said: > This is precisely the point of PAM. Someone needs to PAMerize OpenSSH so > we don't have duplicated kerberos/opie/password authentication code in > there PAM is adequate for dealing with the case of user-provided authentication information, but falls down on (and wasn't designed for) secure network protocols. PAM can certainly provide an authentication services for those protocols which don't provide user-to-service or user-to-user authentication themselves (although my policy is to deprecate such protocols altogether), but authenticated protocols need to be built at a different layer. That's where SSL/TLS, SASL, GSSAPI, and SSH (the protocol) come in. Unfortunately, SSH was designed as a monolithic entity and thus has to explicitly provide for every authentication mechanism in the protocol, whereas SASL, GSSAPI, and TELNET authentication were designed to be pluggable from the start. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200005250101.VAA83975>