[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: The Open Group's PAM



Andrew,

It appears that PAM is officially part of CDE:

From:	http://www.camb.opengroup.org/tech/desktop/cde/cde.data.sheet.htm
	New in CDE 2.1 (February 5, 1997)

	Integration with the "pluggable authentication modules" technology
	(PAM) providing the capability for a single sign-on for CDE users

CDE is also shipping with AIX >= 4.1.4 and HP-UX 10.10 and is default for
10.20.  This broadens its scope a bit over just Solaris (and of course Linux
:-))

The info I found on PAM at the opengroup is:
	http://www.opengroup.org/infosrv/XSSO/HTML/toc.htm

SSO stands for single sign on.  They have some nice pictures :-)

	-- Alan Robertson
	   alanr@bell-labs.com


Andrew Morgan <morgan@transmeta.com> wrote: 
> alanr@bell-labs.com writes:
> > Does anyone know how The Open Group's PAM compares to Linux-PAM (or
> > for that matter to Solaris-PAM)?
> 
> Hi,
> 
> The last time I was able to see their spec, the "Open" Group's PAM is
> exactly that of Solaris.  (SunSoft contributed their source.) [I use
> the quotes here because all interaction by members of this list and
> that group has been mediated by the engineers at Sun -- all of whom,
> incidentally, have since stopped working on PAM.]
> 
> I'm pleased to say that some of the Solaris code includes a couple of
> things that we suggested: the "requisite" control flag is one thing
> that comes to mind.  And one or two bug fixes that became obvious when
> we tried to do as was written in the original RFC.
> 
> (The X/Open spec from March 1997 was given to us by Vipin and you can
> download it from my http://www.kernel.org/pub/linux/libs/pam/ web page.)
> 
> This X/Open spec is actually mostly a draft of intent that attempts to
> integrate PAM into a larger distributed system framework.  In this
> spec there are a number of proposed extensions to the Solaris
> implementation of PAM to allow for "secondary authentication".  It is
> clear from reading the spec that the initial prototypes do a very good
> job of destroying the pluggability of the interface.  Unfortunately,
> the spec is not that clear about the purpose of these enhancements so
> it is not obvious at what level the draft specification could be
> improved.
> 
> I have not seen anything from X/Open since.  If you are aware of any
> document subsequent to the one I mention above, I would be extremely
> happy to know about it/read a copy!
> 
> As for compatibility: apart from the choice of numerical values for
> various PAM_"XXX" #define's, the 0.59+ Linux-PAM releases are a
> superset of the Solaris one.  Most of the enhancements are a direct
> result of being "in wide use" (courtesy of Red Hat) for about a year
> before Solaris 2.6 shipped.
> 
> Derrick (shadow@dementia.org) has been looking at the
> incompatibilities between the Solaris and Linux implementations and
> you can read more about his efforts here:
> http://www.dementia.org/~shadow/pam.html
> 
> Where we (I ;^) have consented to add features to Linux-PAM that are
> not (yet?) supported by Solaris, Ted Ts'o has tried very hard to keep
> me honest and make sure that we remain a strict superset of the
> Solaris implementation -- generally, the feeling of this list's
> members' is that we should be easy to port to from Solaris.  The level
> of success that Derrick has had in his efforts are, however, all the
> evidence of compatibility that I am aware of.
> 
> I hope that helped!
> 
> Cheers
> 
> Andrew
> 
> -- 
> To unsubscribe: mail -s unsubscribe pam-list-request@redhat.com < /dev/null
> 



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []