public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-user] [footnote]  The purpose of pam
@ 2010-01-27  0:34 walt
  2010-01-27  6:34 ` Alan McKinnon
                   ` (2 more replies)
  0 siblings, 3 replies; 7+ messages in thread
From: walt @ 2010-01-27  0:34 UTC (permalink / raw
  To: gentoo-user

Not too long ago there was a question here about why pam is
needed (or not) but I can't find that thread at the moment :-/

Anyway, I said that I put "auth sufficient pam_ssh.so" in
my /etc/pam.d/system-auth file so that I can ssh between
the machines on my home network using my ssh key for login
authentication *instead* of a password.

Well, Neil said that I don't need pam for that because sshd
handles ssh logins automatically, whether by key or password.

I deleted that line from system-auth and found that I could
indeed ssh between machines using my ssh key, just as Neil
said.

However...

Then I remembered that the *real* reason I added that line
to system-auth is so that I can login directly (not via ssh)
to my local machines using my ssh passphrase instead of an
ordinary password.  (This seems inherently more secure to
me, but I could be wrong.)

After thinking awhile I realized that pam can be used to
combine muliple forms of authentication to reduce the well
documented risk of single-factor authentication (like our
traditional password system).

Example:  if I have an ordinary password, plus an ssh key
stored on a USB stick, plus a biometric device like an
eye scanner or a fingerprint scanner, I can then use any
or all of those methods to identify myself to the system
by configuring pam in the appropriate way.

Any sysadmins out there that can confirm my reasoning?




^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [gentoo-user] [footnote]  The purpose of pam
  2010-01-27  0:34 [gentoo-user] [footnote] The purpose of pam walt
@ 2010-01-27  6:34 ` Alan McKinnon
  2010-01-27  9:10 ` Stroller
  2010-01-27 11:01 ` Willie Wong
  2 siblings, 0 replies; 7+ messages in thread
From: Alan McKinnon @ 2010-01-27  6:34 UTC (permalink / raw
  To: gentoo-user

On Wednesday 27 January 2010 02:34:56 walt wrote:
> After thinking awhile I realized that pam can be used to
> combine muliple forms of authentication to reduce the well
> documented risk of single-factor authentication (like our
> traditional password system).
> 
> Example:  if I have an ordinary password, plus an ssh key
> stored on a USB stick, plus a biometric device like an
> eye scanner or a fingerprint scanner, I can then use any
> or all of those methods to identify myself to the system
> by configuring pam in the appropriate way.
> 
> Any sysadmins out there that can confirm my reasoning?
> 

This is not merely a nice thing you can use pam to do.

It is the entirely reason for pam's existence and it was 
written to do nothing else.

If all you need auth to do is validate a username/password 
you might as well stick with login

pam is Pluggable Authentication Modules, meaning you use 
the modules you want to create the scheme you want.

-- 
alan dot mckinnon at gmail dot com



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [gentoo-user] [footnote]  The purpose of pam
  2010-01-27  0:34 [gentoo-user] [footnote] The purpose of pam walt
  2010-01-27  6:34 ` Alan McKinnon
@ 2010-01-27  9:10 ` Stroller
  2010-01-27 11:01 ` Willie Wong
  2 siblings, 0 replies; 7+ messages in thread
From: Stroller @ 2010-01-27  9:10 UTC (permalink / raw
  To: gentoo-user


On 27 Jan 2010, at 00:34, walt wrote:
> ...
> After thinking awhile I realized that pam can be used to
> combine muliple forms of authentication to reduce the well
> documented risk of single-factor authentication (like our
> traditional password system).
> ...
> Any sysadmins out there that can confirm my reasoning?

I use pam_winbind at a site to enable users to logon to the Dovecot  
IMAP server using their Windows domain username & password.

Once the underlying mechanism is setup it requires very little work to  
enable this - for ftp authentication (restricted to localhost only,  
but this allows Squirrelmail users to add a vacation message) I needed  
to touch, I am sure, nothing but the /etc/pam.d/ftp file. Dovecote  
requires only one or two extra lines in its config. With one  
additional line in /etc/pam.d/imaps a homedir is created for the user  
the first they log into the IMAP server (pam_mkhomedir.so).

This list may not consider this such a cool use of PAM as using long  
encryption keys to authenticate themselves, but I have found PAM  
amazing when it all comes together so quickly. PAM seems quite  
powerful & flexible, although I too seem to recall having a  
frustrating experience when I encountered it, without understanding  
it, years ago.

Stroller.




^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [gentoo-user] [footnote]  The purpose of pam
  2010-01-27  0:34 [gentoo-user] [footnote] The purpose of pam walt
  2010-01-27  6:34 ` Alan McKinnon
  2010-01-27  9:10 ` Stroller
@ 2010-01-27 11:01 ` Willie Wong
  2010-01-27 22:04   ` Mick
  2 siblings, 1 reply; 7+ messages in thread
From: Willie Wong @ 2010-01-27 11:01 UTC (permalink / raw
  To: gentoo-user

On Tue, Jan 26, 2010 at 04:34:56PM -0800, walt wrote:
> After thinking awhile I realized that pam can be used to
> combine muliple forms of authentication to reduce the well
> documented risk of single-factor authentication (like our
> traditional password system).
> 
> Example:  if I have an ordinary password, plus an ssh key
> stored on a USB stick, plus a biometric device like an
> eye scanner or a fingerprint scanner, I can then use any
> or all of those methods to identify myself to the system
> by configuring pam in the appropriate way.

Yes. 

First look at the PAM configuration section of this:

http://www.thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader#Login_via_pam_bioapi

Now if instead of having 

auth sufficient pam_unix.so ...
auth sufficient pam_bioapi.so ...

which says that either password log-in OR fingerprint scanner is
enough, you change the first line to "auth required ...", per the docs

http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration-file.html

you will then have a behaviour where BOTH password and fingerprint is
involved. I think PAM is a Pretty Good Idea and its implementation is
Very Cool, but I also think it is completely unnecessary on _my_
laptop. 

Cheers, 

W
-- 
Willie W. Wong                                     wwong@math.princeton.edu
Data aequatione quotcunque fluentes quantitae involvente fluxiones invenire 
         et vice versa   ~~~  I. Newton



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [gentoo-user] [footnote]  The purpose of pam
  2010-01-27 11:01 ` Willie Wong
@ 2010-01-27 22:04   ` Mick
  2010-01-28  8:45     ` Ward Poelmans
  2010-01-28  8:53     ` Alan McKinnon
  0 siblings, 2 replies; 7+ messages in thread
From: Mick @ 2010-01-27 22:04 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: Text/Plain, Size: 1627 bytes --]

On Wednesday 27 January 2010 11:01:52 Willie Wong wrote:
> On Tue, Jan 26, 2010 at 04:34:56PM -0800, walt wrote:
> > After thinking awhile I realized that pam can be used to
> > combine muliple forms of authentication to reduce the well
> > documented risk of single-factor authentication (like our
> > traditional password system).
> >
> > Example:  if I have an ordinary password, plus an ssh key
> > stored on a USB stick, plus a biometric device like an
> > eye scanner or a fingerprint scanner, I can then use any
> > or all of those methods to identify myself to the system
> > by configuring pam in the appropriate way.
> 
> Yes.
> 
> First look at the PAM configuration section of this:
> 
> http://www.thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader#Login_vi
> a_pam_bioapi
> 
> Now if instead of having
> 
> auth sufficient pam_unix.so ...
> auth sufficient pam_bioapi.so ...
> 
> which says that either password log-in OR fingerprint scanner is
> enough, you change the first line to "auth required ...", per the docs
> 
> http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration-f
> ile.html
> 
> you will then have a behaviour where BOTH password and fingerprint is
> involved. I think PAM is a Pretty Good Idea and its implementation is
> Very Cool, but I also think it is completely unnecessary on _my_
> laptop.

What would be the pam-way to only allow remote ssh logins using pubkeys and 
completely forbid ssh paswd?  I used to remove allow pam from sshd_config.  Is 
there a better pam-centric way of doing the same thing?
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [gentoo-user] [footnote] The purpose of pam
  2010-01-27 22:04   ` Mick
@ 2010-01-28  8:45     ` Ward Poelmans
  2010-01-28  8:53     ` Alan McKinnon
  1 sibling, 0 replies; 7+ messages in thread
From: Ward Poelmans @ 2010-01-28  8:45 UTC (permalink / raw
  To: gentoo-user

On Wed, Jan 27, 2010 at 23:04, Mick <michaelkintzios@gmail.com> wrote:
> What would be the pam-way to only allow remote ssh logins using pubkeys and
> completely forbid ssh paswd?  I used to remove allow pam from sshd_config.  Is
> there a better pam-centric way of doing the same thing?

Put "PasswordAuthentication" to no in you sshd_config?

Ward



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [gentoo-user] [footnote]  The purpose of pam
  2010-01-27 22:04   ` Mick
  2010-01-28  8:45     ` Ward Poelmans
@ 2010-01-28  8:53     ` Alan McKinnon
  1 sibling, 0 replies; 7+ messages in thread
From: Alan McKinnon @ 2010-01-28  8:53 UTC (permalink / raw
  To: gentoo-user

On Thursday 28 January 2010 00:04:46 Mick wrote:
> On Wednesday 27 January 2010 11:01:52 Willie Wong wrote:
> > On Tue, Jan 26, 2010 at 04:34:56PM -0800, walt wrote:
> > > After thinking awhile I realized that pam can be used to
> > > combine muliple forms of authentication to reduce the well
> > > documented risk of single-factor authentication (like our
> > > traditional password system).
> > >
> > > Example:  if I have an ordinary password, plus an ssh key
> > > stored on a USB stick, plus a biometric device like an
> > > eye scanner or a fingerprint scanner, I can then use any
> > > or all of those methods to identify myself to the system
> > > by configuring pam in the appropriate way.
> >
> > Yes.
> >
> > First look at the PAM configuration section of this:
> >
> > http://www.thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader#Login_
> >vi a_pam_bioapi
> >
> > Now if instead of having
> >
> > auth sufficient pam_unix.so ...
> > auth sufficient pam_bioapi.so ...
> >
> > which says that either password log-in OR fingerprint scanner is
> > enough, you change the first line to "auth required ...", per the docs
> >
> > http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration
> >-f ile.html
> >
> > you will then have a behaviour where BOTH password and fingerprint is
> > involved. I think PAM is a Pretty Good Idea and its implementation is
> > Very Cool, but I also think it is completely unnecessary on _my_
> > laptop.
> 
> What would be the pam-way to only allow remote ssh logins using pubkeys and
> completely forbid ssh paswd?  I used to remove allow pam from sshd_config. 
>  Is there a better pam-centric way of doing the same thing?

That's pretty pointless. pam doesn't know how to do openssl voodoo magic. sshd 
does.
 

-- 
alan dot mckinnon at gmail dot com



^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2010-01-28  8:55 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-01-27  0:34 [gentoo-user] [footnote] The purpose of pam walt
2010-01-27  6:34 ` Alan McKinnon
2010-01-27  9:10 ` Stroller
2010-01-27 11:01 ` Willie Wong
2010-01-27 22:04   ` Mick
2010-01-28  8:45     ` Ward Poelmans
2010-01-28  8:53     ` Alan McKinnon

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox