[gentoo-user] [footnote] The purpose of pam

[gentoo-user] [footnote] The purpose of pam

[walt]

Not too long ago there was a question here about why pam is
needed (or not) but I can't find that thread at the moment :-/

Anyway, I said that I put "auth sufficient pam_ssh.so" in
my /etc/pam.d/system-auth file so that I can ssh between
the machines on my home network using my ssh key for login
authentication *instead* of a password.

Well, Neil said that I don't need pam for that because sshd
handles ssh logins automatically, whether by key or password.

I deleted that line from system-auth and found that I could
indeed ssh between machines using my ssh key, just as Neil
said.

However...

Then I remembered that the *real* reason I added that line
to system-auth is so that I can login directly (not via ssh)
to my local machines using my ssh passphrase instead of an
ordinary password.  (This seems inherently more secure to
me, but I could be wrong.)

After thinking awhile I realized that pam can be used to
combine muliple forms of authentication to reduce the well
documented risk of single-factor authentication (like our
traditional password system).

Example:  if I have an ordinary password, plus an ssh key
stored on a USB stick, plus a biometric device like an
eye scanner or a fingerprint scanner, I can then use any
or all of those methods to identify myself to the system
by configuring pam in the appropriate way.

Any sysadmins out there that can confirm my reasoning?

Re: [gentoo-user] [footnote] The purpose of pam

[Alan McKinnon]

On Wednesday 27 January 2010 02:34:56 walt wrote:
> After thinking awhile I realized that pam can be used to
> combine muliple forms of authentication to reduce the well
> documented risk of single-factor authentication (like our
> traditional password system).
> 
> Example:  if I have an ordinary password, plus an ssh key
> stored on a USB stick, plus a biometric device like an
> eye scanner or a fingerprint scanner, I can then use any
> or all of those methods to identify myself to the system
> by configuring pam in the appropriate way.
> 
> Any sysadmins out there that can confirm my reasoning?
> 

This is not merely a nice thing you can use pam to do.

It is the entirely reason for pam's existence and it was 
written to do nothing else.

If all you need auth to do is validate a username/password 
you might as well stick with login

pam is Pluggable Authentication Modules, meaning you use 
the modules you want to create the scheme you want.

-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] [footnote] The purpose of pam

[Stroller]

On 27 Jan 2010, at 00:34, walt wrote:
> ...
> After thinking awhile I realized that pam can be used to
> combine muliple forms of authentication to reduce the well
> documented risk of single-factor authentication (like our
> traditional password system).
> ...
> Any sysadmins out there that can confirm my reasoning?

I use pam_winbind at a site to enable users to logon to the Dovecot  
IMAP server using their Windows domain username & password.

Once the underlying mechanism is setup it requires very little work to  
enable this - for ftp authentication (restricted to localhost only,  
but this allows Squirrelmail users to add a vacation message) I needed  
to touch, I am sure, nothing but the /etc/pam.d/ftp file. Dovecote  
requires only one or two extra lines in its config. With one  
additional line in /etc/pam.d/imaps a homedir is created for the user  
the first they log into the IMAP server (pam_mkhomedir.so).

This list may not consider this such a cool use of PAM as using long  
encryption keys to authenticate themselves, but I have found PAM  
amazing when it all comes together so quickly. PAM seems quite  
powerful & flexible, although I too seem to recall having a  
frustrating experience when I encountered it, without understanding  
it, years ago.

Stroller.

Re: [gentoo-user] [footnote] The purpose of pam

[Willie Wong]

On Tue, Jan 26, 2010 at 04:34:56PM -0800, walt wrote:
> After thinking awhile I realized that pam can be used to
> combine muliple forms of authentication to reduce the well
> documented risk of single-factor authentication (like our
> traditional password system).
> 
> Example:  if I have an ordinary password, plus an ssh key
> stored on a USB stick, plus a biometric device like an
> eye scanner or a fingerprint scanner, I can then use any
> or all of those methods to identify myself to the system
> by configuring pam in the appropriate way.

Yes. 

First look at the PAM configuration section of this:

http://www.thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader#Login_via_pam_bioapi

Now if instead of having 

auth sufficient pam_unix.so ...
auth sufficient pam_bioapi.so ...

which says that either password log-in OR fingerprint scanner is
enough, you change the first line to "auth required ...", per the docs

http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration-file.html

you will then have a behaviour where BOTH password and fingerprint is
involved. I think PAM is a Pretty Good Idea and its implementation is
Very Cool, but I also think it is completely unnecessary on _my_
laptop. 

Cheers, 

W
-- 
Willie W. Wong                                     wwong@math.princeton.edu
Data aequatione quotcunque fluentes quantitae involvente fluxiones invenire 
         et vice versa   ~~~  I. Newton

Re: [gentoo-user] [footnote] The purpose of pam

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 1627 bytes --]

On Wednesday 27 January 2010 11:01:52 Willie Wong wrote:
> On Tue, Jan 26, 2010 at 04:34:56PM -0800, walt wrote:
> > After thinking awhile I realized that pam can be used to
> > combine muliple forms of authentication to reduce the well
> > documented risk of single-factor authentication (like our
> > traditional password system).
> >
> > Example:  if I have an ordinary password, plus an ssh key
> > stored on a USB stick, plus a biometric device like an
> > eye scanner or a fingerprint scanner, I can then use any
> > or all of those methods to identify myself to the system
> > by configuring pam in the appropriate way.
> 
> Yes.
> 
> First look at the PAM configuration section of this:
> 
> http://www.thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader#Login_vi
> a_pam_bioapi
> 
> Now if instead of having
> 
> auth sufficient pam_unix.so ...
> auth sufficient pam_bioapi.so ...
> 
> which says that either password log-in OR fingerprint scanner is
> enough, you change the first line to "auth required ...", per the docs
> 
> http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration-f
> ile.html
> 
> you will then have a behaviour where BOTH password and fingerprint is
> involved. I think PAM is a Pretty Good Idea and its implementation is
> Very Cool, but I also think it is completely unnecessary on _my_
> laptop.

What would be the pam-way to only allow remote ssh logins using pubkeys and 
completely forbid ssh paswd?  I used to remove allow pam from sshd_config.  Is 
there a better pam-centric way of doing the same thing?
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] [footnote] The purpose of pam

[Ward Poelmans]

On Wed, Jan 27, 2010 at 23:04, Mick <michaelkintzios@gmail.com> wrote:
> What would be the pam-way to only allow remote ssh logins using pubkeys and
> completely forbid ssh paswd?  I used to remove allow pam from sshd_config.  Is
> there a better pam-centric way of doing the same thing?

Put "PasswordAuthentication" to no in you sshd_config?

Ward

Re: [gentoo-user] [footnote] The purpose of pam

[Alan McKinnon]

On Thursday 28 January 2010 00:04:46 Mick wrote:
> On Wednesday 27 January 2010 11:01:52 Willie Wong wrote:
> > On Tue, Jan 26, 2010 at 04:34:56PM -0800, walt wrote:
> > > After thinking awhile I realized that pam can be used to
> > > combine muliple forms of authentication to reduce the well
> > > documented risk of single-factor authentication (like our
> > > traditional password system).
> > >
> > > Example:  if I have an ordinary password, plus an ssh key
> > > stored on a USB stick, plus a biometric device like an
> > > eye scanner or a fingerprint scanner, I can then use any
> > > or all of those methods to identify myself to the system
> > > by configuring pam in the appropriate way.
> >
> > Yes.
> >
> > First look at the PAM configuration section of this:
> >
> > http://www.thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader#Login_
> >vi a_pam_bioapi
> >
> > Now if instead of having
> >
> > auth sufficient pam_unix.so ...
> > auth sufficient pam_bioapi.so ...
> >
> > which says that either password log-in OR fingerprint scanner is
> > enough, you change the first line to "auth required ...", per the docs
> >
> > http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration
> >-f ile.html
> >
> > you will then have a behaviour where BOTH password and fingerprint is
> > involved. I think PAM is a Pretty Good Idea and its implementation is
> > Very Cool, but I also think it is completely unnecessary on _my_
> > laptop.
> 
> What would be the pam-way to only allow remote ssh logins using pubkeys and
> completely forbid ssh paswd?  I used to remove allow pam from sshd_config. 
>  Is there a better pam-centric way of doing the same thing?

That's pretty pointless. pam doesn't know how to do openssl voodoo magic. sshd 
does.
 

-- 
alan dot mckinnon at gmail dot com