[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]


From: 	Alan DeKok
Sent: 	Thursday, 29 October 1998 23:06
To: 	pam-list@redhat.com

Richard Lennerts <richard@vianet.net.au> wrote:
> The concern is that NSS is not suited that well to Radius for the
> purpose of authentication, but would probably do an ok job for
> authorisation.

  If you're willing to modify the RADIUS server, and use static
passwords on the client end, you can get away with using *only* NSS
for authentication and authorization.  This is because NSS will supply
an encrypted password that local tools may use for authentication.

In radius, the passwords are usually kept in an unencrypted format. One of the features of Radius is that _IT_ does the authentication. If you were to pass an encrypted password off to NSS in order for the standard libc functions to authenticate the info returned from the Radius server, you would lose some seriuos functionality in Radius.

The point of using PAM is that you dispose of the necessity to use the typical form of passwords. This frees up your authentication methods to use anything you wish, eg retinal scan, calling-number, etc. etc. NSS does not do this, therefore NSS alone is not the solution. PAM does not offer a convenient method of authorisation, therefore PAM alone is not the solution.

> At this stage it looks like I'll be using PAM and
> pam_pwdb for authentication and NSS with nss_pwdb for authorisation.
> Both NSS and PAM pwdb modules will use Radius. This may work, but it
> concerns me how many points of failure I could be introducing into al
> authentication and authorisation based services.

  If you're using RADIUS, you might as well use it directly, instead
of going through pwdb, which is starting to show it's age.

In the future I will do, the reason I have not is that being completely new to PAM I did not trust myself to write a pam_radius module. The one that currently exists, written by Christian Gafton, only supports accounting I think and was decided to be incorporated into PWDB for more functionality. The other PAM radius module I know of, pam_lradius by Leemah, only supports authentication. 

> It looks to me that we (the UNIX community need to make a clean break
> from the historical way of granting access to services. Maybe a new
> modular based protocol is needed. This could be called PAAAAM :) for
> Plugable Authentication, Authorisation And Accounting Module.

  Why re-invent the wheel?  If PAM isn't what you need, don't invent
PAAAAM to do the same thing as RADIUS.

Radius is an authentication and accounting server. The "PAAAAM" or whatever protocol would be the middle layer module and the applications that use it would be the clients. I don't want something to do the _same_ as radius, but something which can utilise radius and other authentication, authorisation and accounting schemes.

> This way the good ideas from PAM can be extended to more fully deal
> with the problem of granting and tracking access of users, reducing
> the points of failure in this process and further increasing the
> flexibility needed for this problem.

  PAM doesn't do authorization, and I think it would be a horrid hack
if that functionality were to be added.

Agreed. I'm not proposing a hack to PAM. I'm proposing a complete re-think into what is required to obtain a real workable solution. PAM has some great points, so does NSS, but seperately they don't provide a solution, together they can be made to work but there has to be a better way.




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []