On 06/24/2016 10:02 AM, Stian Thorgersen wrote:
We can support authentication over multiple steps as we already do
that
for OTP. However, the problem will be with regards to the conversation
as this would require sticky sessions if clustered to make sure the
second step is sent to the same node. Can't PAM verify the two
independently? First password, then separately OTP? That would make it
much simpler and stateless.
PAM is implemented as a C language library running in the address space
of a single process (remember I said it was 20 years old :-). The state
is kept in the address space of that process. That is the primary
limitation and would really restrict you with regards to distributing
the conversation across processes.
I'd don't know if anyone has tried to address this, perhaps others in
our group would know. It's been years since I coded PAM I hope my
recollections are correct on all accounts.
This constraint should not be an issue for simple username/password auth
because the PAM conversation can be completed as part of one single HTTP
request.
My thought here (but I don't have the final say) is let's not worry
about this for the first implementation. If we can avoid boxing
ourselves in by some implementation design choice we should take it into
consideration if possible.
--
John