[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAM setting arb parameters

Derrick J Brashear wrote:

> This beyond the scope of PAM, and it should be. PAM is after all "Pluggable
> Authentication Modules", and while that's information which is dependant on who
> authenticates, it's not authentication information.

It is beyond the scope of PAM, yes - but this should mean that PAM
should pass this data, and not interpret it in any way.

The reason why I'd like PAM to handle this is because actual
authentication is only part of a login process. In actual applications,
the authentication part is handled by PAM, however credentials are set
using machine specific funstions.

As a result, the advantages of using PAM are lost.

As a concrete example, I wanted to install PAM support into the Apache
webserver, so that I could do basic authentication using PAM. The
trouble was, to check whether a user was in the required group, it used
Linux specific calls to determine group membership.

This has prevented me both from running this module under Solaris, and
also authenticating people using LDAP (the pam_ldap module).

> Given that you already need to code your patches to understand this infromation
> (since it's not just generic PAM information) I have 2 suggestions:
> a) use pam_putenv foo to set environment variables, and pam_getenv to read them
> back out in the app, if you *must* do it through pam .

I think the best suggestion should be the creation of a parallel
prototol, perhaps called Pluggable Credentials Modules, that would do
the same as PAM, but for credentials.

An application can then use PAM, PCM, or both at it's discretion.

Any thoughts?

graham@vwv.com			"There's a moon
VWV Interactive				over Bourbon Street

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []