[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]


Richard Lennerts <richard@vianet.net.au> wrote:
> The concern is that NSS is not suited that well to Radius for the
> purpose of authentication, but would probably do an ok job for
> authorisation.

  If you're willing to modify the RADIUS server, and use static
passwords on the client end, you can get away with using *only* NSS
for authentication and authorization.  This is because NSS will supply
an encrypted password that local tools may use for authentication.

> At this stage it looks like I'll be using PAM and
> pam_pwdb for authentication and NSS with nss_pwdb for authorisation.
> Both NSS and PAM pwdb modules will use Radius. This may work, but it
> concerns me how many points of failure I could be introducing into al
> authentication and authorisation based services.

  If you're using RADIUS, you might as well use it directly, instead
of going through pwdb, which is starting to show it's age.

> It looks to me that we (the UNIX community need to make a clean break
> from the historical way of granting access to services. Maybe a new
> modular based protocol is needed. This could be called PAAAAM :) for
> Plugable Authentication, Authorisation And Accounting Module.

  Why re-invent the wheel?  If PAM isn't what you need, don't invent
PAAAAM to do the same thing as RADIUS.

> This way the good ideas from PAM can be extended to more fully deal
> with the problem of granting and tracking access of users, reducing
> the points of failure in this process and further increasing the
> flexibility needed for this problem.

  PAM doesn't do authorization, and I think it would be a horrid hack
if that functionality were to be added.

  Alan DeKok.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []