Gentoo Archives: gentoo-user

From: walt <w41ter@×××××.com>
To: gentoo-user@l.g.o
Subject: [gentoo-user] [footnote] The purpose of pam
Date: Wed, 27 Jan 2010 00:37:31
Message-Id: hjo1nm$l8k$
1 Not too long ago there was a question here about why pam is
2 needed (or not) but I can't find that thread at the moment :-/
4 Anyway, I said that I put "auth sufficient" in
5 my /etc/pam.d/system-auth file so that I can ssh between
6 the machines on my home network using my ssh key for login
7 authentication *instead* of a password.
9 Well, Neil said that I don't need pam for that because sshd
10 handles ssh logins automatically, whether by key or password.
12 I deleted that line from system-auth and found that I could
13 indeed ssh between machines using my ssh key, just as Neil
14 said.
16 However...
18 Then I remembered that the *real* reason I added that line
19 to system-auth is so that I can login directly (not via ssh)
20 to my local machines using my ssh passphrase instead of an
21 ordinary password. (This seems inherently more secure to
22 me, but I could be wrong.)
24 After thinking awhile I realized that pam can be used to
25 combine muliple forms of authentication to reduce the well
26 documented risk of single-factor authentication (like our
27 traditional password system).
29 Example: if I have an ordinary password, plus an ssh key
30 stored on a USB stick, plus a biometric device like an
31 eye scanner or a fingerprint scanner, I can then use any
32 or all of those methods to identify myself to the system
33 by configuring pam in the appropriate way.
35 Any sysadmins out there that can confirm my reasoning?


Subject Author
Re: [gentoo-user] [footnote] The purpose of pam Alan McKinnon <alan.mckinnon@×××××.com>
Re: [gentoo-user] [footnote] The purpose of pam Stroller <stroller@××××××××××××××××××.uk>
Re: [gentoo-user] [footnote] The purpose of pam Willie Wong <wwong@××××××××××××××.EDU>