[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: thinking about pam

   From: rdm@tad.micro.umn.edu
   Date: 4 Oct 1996 15:13:56 -0000

   Then, it would make sense to allow programs that work at
   communications boundaries to cleanly support either PAM (new session)
   or GSSAPI (continuation of remotely instantiated session).

GSSAPI isn't necessarily just for things like remote login, though.  For
example, you'd use GSSAPI if you wanted to secure a lpr or POP session,
for example.  

In the case of POP, you *could* use PAM, since in the normal (insecure)
POP protocol, you just send a username and password to the remote pop
server.  This is very easy for someone to eavesdrop and grab your
password, though.  It's also annoying for the user because they have to
type their password each time they want to get mail (alternatively, the
mail client could store the password on the client's machine, where the
password may be subject to theft.)

In a world where you're very much worried about network security, PAM
would only be used for those locations when the user is right in front
of the workstation that he/she's logging into, and GSSAPI is used for
everything else.  (S/Key is a special case of where PAM is useful, even
for remote connections.)

						- Ted

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []