[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: XSSO? How to communicate to XSSO/PAM external authentication info?



On Fri, Aug 25, 2000 at 08:46:10PM -0700, Andrew Morgan wrote:
> Nicolas Williams wrote:
> > I now think that PAM binary prompts could certainly be used to handle
> > GSS-API and anything else such as raw Kerberos, SRP and so on.
> 
> I think binary prompts are not quite the complete solution. We also need
> some event driven model for supporting ticket expiration/renewal but I
> agree with this sentiment.

Well, sortof. If the service already knows what kind of authentication
type will be used before calling pam_authenticate(), then there's no
need for an event system.

BTW, I've read the event thread and have some thoughts to share on that.

Here's some thoughts on the event system:

 - have a PAM event type and a pam_raise() function for raising those
   events. Thus, the PAM app might wait only on creds expiration and
   session exit events, which would be PAM events raised by handlers for
   raw system events, such as signals, file descriptor data, etc...

 - allow the PAM app to provide its own registration callback function
   so PAM's system can play nice with any event system the app may
   already have

 - signals are NOT that hard to handle; the app just has to cooperate a
   bit. As long as PAM and the app remember the current signal handler
   for any signal when installing their own, and as long as both can
   deal with spurious signals all should be ok. Well, yes, I know, the
   app and PAM would have to have the same preferences for syscall
   interruption settings, alternate stacks and so on

I'll share more sometime next week. My son was born this morning, so
I'll tune out for some time (don't tell my wife I got on the Net
today!  :)

> Perhaps you'ld like to write out a typical event loop for gss type
> authentication and ticket renewal? That should help indentify where PAM
> is lacking at present.

Well, GSS-API auth is synchronous, so events aren't really needed here.

> > Notice that GSS-API binary prompts don't seems to fit any of the
> > currently allocated binary prompt control characters. This is an area
> > that might need work to make this approach possible.
> 
> Perhaps you could include details here too?

I will, late next week.

> Thanks
> 
> Andrew
> 

Thanks,

Nico
--





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []