[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: XSSO? How to communicate to XSSO/PAM external authentication info?



Come on, someone on this list must know something about XSSO. Heck,
there's even stubs in LinuxPAM for XSSO extensions.


I can see the use of pam_authenticate_secondary() and pam_get_mapped_*
and so on, but that's for tasks such as getting Kerberos tickets when
Kerberos isn't your primary form of authentication.

I think something like, say, pam_gss_authenticated() is needed. It's
arguments would be a PAM handle, a GSS mechanism OID (gss_OID_desc), a
GSS QoP OID and a principal name (gss_name_t).

Applications that use Kerberos directly instead of GSS-API could still
use pam_gss_authenticated() by converting the KRB5 principal name into a
gss_name_t and by getting the relevant OIDs.

Nico


On Mon, Aug 21, 2000 at 03:48:31PM -0400, Nicolas Williams wrote:
> 
> So, I've been looking at XSSO [*], the X/Open PAM-based single sign-on
> spec. I like their pretty SSO pictures, and particularly the one where
> an application uses GSS-API to authenticate to a remote service which
> then uses XSSO to validate the client.
> 
> I'm looking for how such a service would use XXSO (PAM) in that case. It
> doesn't seem like there is an API for informing XSSO of the GSS-API
> authentication information (mechanism(s), client principal(s)) so XSSO
> can correctly authenticate and authorize the client.
> 
> Can someone enlighten me as to the above?
> 
> [*] http://www.opengroup.org/pubs/catalog/p702.htm
> 
> Thanks,
> 
> Nico
> --
> 
> .
--





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []