On 2016-06-24, John Dennis wrote:
On 06/24/2016 10:02 AM, Stian Thorgersen wrote:
> We can support authentication over multiple steps as we already do that
> for OTP. However, the problem will be with regards to the conversation
> as this would require sticky sessions if clustered to make sure the
> second step is sent to the same node. Can't PAM verify the two
> independently? First password, then separately OTP? That would make it
> much simpler and stateless.
PAM is implemented as a C language library running in the address space of a
single process (remember I said it was 20 years old :-). The state is kept
in the address space of that process. That is the primary limitation and
would really restrict you with regards to distributing the conversation
across processes.
I'd don't know if anyone has tried to address this, perhaps others in our
group would know. It's been years since I coded PAM I hope my recollections
are correct on all accounts.
This constraint should not be an issue for simple username/password auth
because the PAM conversation can be completed as part of one single HTTP
request.
My thought here (but I don't have the final say) is let's not worry about
this for the first implementation. If we can avoid boxing ourselves in by
some implementation design choice we should take it into consideration if
possible.
My limited knowledge, says that's possible with pam-radius-auth[1], but
I wouldn't risk it before perform some tests. I agree with John here,
plus libpam4j only supports username/password.
I get the feeling that if we take this road, certainly we gonna end up
with our own bindings for libpam.
[1] -
http://freeradius.org/pam_radius_auth/
--
John
--
abstractj
PGP: 0x84DC9914