[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Pluggable Non Interactive Authentication Modules


On Fri, Oct 23, 1998 at 05:59:29PM -0400, Theodore Y. Ts'o wrote:
>    Date: Thu, 22 Oct 1998 18:10:18 +0400
>    From: Savochkin Andrey Vladimirovich <saw@msu.ru>
>    I and my University colleagues have started a project named
>    `Pluggable Non Interactive Authentication Modules'.
>    We want to keep advantages of PAM and avoid its known weaknesses.
>    The new API is convenient for Internet servers (like FTP, POP etc)
>    and wouldn't require `conversation function hacks' so common for
>    servers with PAM support.  The second important point is that
>    authentication and the process of obtaining user's identity
>    information are both under modules' control.  
> You may wish to take a look at the GSSAPI (and possibly SASL) for some
> ideas of what your interface should support.  At the very least, it
> would be highly desireable if your API could support protocols that wish
> to use GSSAPI-based authentication using a Krb5 GSSAPI mechanism, for
> example.   

GSSAPI seems to be an overweight for most existing applications.
PNIAM API is supposed to be free of notions like token and
security context.  However I would consider it as a bug if
PNIAM API doesn't allow to implement clearly KRB5 as a module.
I don't see problems for KRB5 or any other GSSAPI module implementation
under PNIAM but I'm not familiar with the protocols well.

> You can obtain more information about GSSAPI from RFC-2078 and
> RFC-1510.  That might be a good place to start for some ideas.

Best wishes
					Andrey V.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []