[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: How do I get rid of passwd/shadow files

> > however, PAM has been adopted as standard in redhat linux, and that
> > carries weight.  if those other protocols are _also_ adopted, then i
> > will join development lists on them and help out.
> But in a very real sense, that's not what PAM is for, and it's not
> what it's used for.

  But in a very different (and just as real) sense, that's what people
*need*.  The flurry of activity on the list indicates that there is a
desperate need for enterprise-wide authentication & authorization.
PAM handles the authentication, but not the authorization.

  It seems that the consensus is to use RADIUS for both.  That's not
too surprising, as that's the problem RADIUS was designed to solve.

> Red Hat doesn't do this.  With the NSS interface provided by glibc,
> the best solution is probably to just write a module to interface to
> RADIUS and let all of your installed programs benefit without the need
> for recompilation.

  OK, I'll bit the bullet.  The nss_pwdb seems simple enough, and I've
spent the last 3 months hacking Cistron at home, and a commercial
server at work.  I'll try to get an nss_radius done this week, even if
it means hacking a radius server.

>  The key assumption made with NSS (AFAIK) is that the user
> information can be gotten without authenticating to the service, so
> if all access to a RADIUS database is password-protected, allowances
> would need to be made.

  i.e. Extending the RADIUS functionality to handle authorization
without authentication.  It won't be RFC compatible, but if you've got
source and a RADIUS server that does what you *need*, we can always
get the RFC's re-written.

  For anyone else doing RADIUS, I'd suggest a LGPL'd cross-platform
library.  I'm not entirely satisfied with the PWDB implemenation of
RADIUS, and it doesn't do Vendor-Specific attributes, or a number of
other things.  For Linux/Solaris/WNT source, see my latest CVS snapshot:


  I've also got a hacked version of Cistron.  Once I get the NSS
module working, I'll put everything online for public perusal.

  Now all we need is an NT gina plug-in which does RADIUS...

  Alan DeKok.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []