pam sharing hash
https://stackoverflow.com/questions/10961937
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am looking at the way PAM modules are designed as guidelines for my own JAAS LoginModule. One thing that surprised me is that, although the method used to access an hashed password is mostly orthogonal to the hash method itself, I was not able to find any PAM modules that would make good use of this property. Is it because of some security issue that I overlooked, or is it simply something that was not explored yet?
To explain a little bit more what I mean, let's say that we have we have 3 different methods to access a hashed password (LDAP, SQL, plain files) and 2 hash methods (MD5, SHA1). Currently there is is one or more PAM modules for each access method, each one implementing one or more of these hash methods. Adding a new hash method (say BCrypt) means that all these access method needs to be modified to support the new hash type. A better design would be to have one PAM module for each access method that simply retrieves the hashed password using the user name, then to have a separate set of PAM modules that do the hash verification, with the hashed value shared between modules (like the password is). So if I use a database to store my password, and use MD5 to verify the password, my configuration would look like this:
password required pam_sql.so
password required pam_md5.so
In this configuration pam_sql retrieves the hashed password from a database (or fails if the username does not exist). Then pam_md5 compares the hashed password with the password to test and fails if they do not match. In a different configuration using Bcrypt, I would just have to replace pam_md5 by pam_bcrypt, without having to wait that the developers of pam_sql update it for the new hash method.
Solution
PAM doesn't have knowledge of password hashing or methods of comparing passwords (whether hashed or not). PAM provides facilities for modules to have a "conversation" with the user, i.e. ask them questions and get answers from them. The usual questions are, of course, "what's your username?" and "what's your password?", but they need not be. For all PAM cares, some module could ask the user 5 questions or none before deciding the outcome of the authentication process.
What you are asking for is an abstraction at a lower layer than PAM that provides common services to that subset of PAM modules that deal with hashed passwords.
What's your question? Do you want to implement such an abstraction and promote it as a standard?
