|
Packit |
7e982e |
PAM working group ## A.G. Morgan
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
## $Id$ ##
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
## Pluggable Authentication Modules ##
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
## REGISTERED AGENTS AND THEIR AGENT-ID'S ##
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
#$ Purpose of this document
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
#$$#{definition} Definition of an agent-id
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
The most complete version of a "PAM agent-id" is contained in this
|
|
Packit |
7e982e |
reference [#$R#{PAM_RFC2}]. A copy of a recent definition is
|
|
Packit |
7e982e |
reproduced here for convenience. The reader is recommended to consult
|
|
Packit |
7e982e |
reference [#{PAM_RFC2}] for definitions of other terms that are
|
|
Packit |
7e982e |
used in this document.
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
## -------------- ##
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
The agent_id is a sequence of characters satisfying the following
|
|
Packit |
7e982e |
regexp:
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
/^[a-z0-9\_]+(@[a-z0-9\_.]+)?$/
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
and has a specific form for each independent agent.
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
o Agent_ids that do not contain an at-sign (@) are to be considered as
|
|
Packit |
7e982e |
representing some authentication mode that is a "public
|
|
Packit |
7e982e |
standard". Registered names MUST NOT contain an at-sign (@).
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
o Anyone can define additional agents by using names in the format
|
|
Packit |
7e982e |
name@domainname, e.g. "ouragent@example.com". The part following
|
|
Packit |
7e982e |
the at-sign MUST be a valid fully qualified internet domain name
|
|
Packit |
7e982e |
[RFC-1034] controlled by the person or organization defining the
|
|
Packit |
7e982e |
name. (Said another way, if you control the email address that
|
|
Packit |
7e982e |
your agent has as an identifier, they you are entitled to use
|
|
Packit |
7e982e |
this identifier.) It is up to each domain how it manages its local
|
|
Packit |
7e982e |
namespace.
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
## -------------- ##
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
#$ Registered agent-id's
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
The structure of this section is a single subsection for each
|
|
Packit |
7e982e |
registered agent-id. This section includes a full definition of binary
|
|
Packit |
7e982e |
prompts accepted by the agent and example responses of said
|
|
Packit |
7e982e |
agent. Using the defining section alone, it should be possible for a
|
|
Packit |
7e982e |
third party to create a conforming agent and modules that can
|
|
Packit |
7e982e |
interoperate with other implementations of these objects.
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
*$ "userpass" - the user+password agent
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
Many legacy authentication systems are hardcoded to support one and
|
|
Packit |
7e982e |
only one authentication method. Namely,
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
username: joe
|
|
Packit |
7e982e |
password: <secret>
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
Indeed, this authentication method is often embedded into parts of the
|
|
Packit |
7e982e |
transport protocol. The "user+password" agent with PAM agent-id:
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
"userpass"
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
Is intended to support this legacy authentication scheme. The protocol
|
|
Packit |
7e982e |
for binary prompt exchange with this 'standard agent' is as follows:
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
Case 1: module does not know the username, but expects the agent to
|
|
Packit |
7e982e |
obtain this information and also the user's password:
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
module: {LENGTH;PAM_BP_SELECT;userpass;'/'}
|
|
Packit |
7e982e |
agent: {}
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
Case 2: module has suggested username, but would like agent to confirm
|
|
Packit |
7e982e |
it and gather password:
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
module: {}
|
|
Packit |
7e982e |
agent: {}
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
Case 3: module knows username and will not permit the agent to change it:
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
module: {}
|
|
Packit |
7e982e |
agent: {}
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
#$ References
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
[#{PAM_RFC2}] Internet draft, "Pluggable Authentication Modules
|
|
Packit |
7e982e |
(PAM)", available here:
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
# http://linux.kernel.org/pub/linux/libs/pam/pre/doc/current-draft.txt #
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
#$ Author's Address
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
Andrew G. Morgan
|
|
Packit |
7e982e |
Email: morgan@kernel.org
|