[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: XSSO? How to communicate to XSSO/PAM external authentication info?



On Sat, Aug 26, 2000 at 02:28:49PM +0200, Ingo Luetkebohle wrote:
> On Fri, Aug 25, 2000 at 09:53:13PM -0400, Nicolas Williams wrote:
> >     - pam_gss would probably be first in the auth stack and would issue
> >       a binary prompt asking ftpd to negotiate for GSS-API
> 
> Trouble is, RFC 2228 mandates that its the *client* that suggests
> which auth protocol to use and the server is supposed to know which
> auth protocols it can support. I don't see how that can be made to
> work with PAM's current prompting mechanism.

So? Pam_gss would be issuing the binary prompt, and in such protocols
the service had better already know what auth type was negotiated. PAM
still would get to authorize the use of any particular authentication
type though, via pam_acct_mgmt().

> Even in protocols like IMAP, where the client has to give the server
> some control by issueing a CAPABILITY request, the server has to know
> which authentication protocols it can support *before* actual
> negotiation takes place. Similiar problem.

Again, no big deal. See above. You just would have to have a special PAM
module for every kind of authentication other than basic (username and
password) that you wish to support.

> ---Ingo Luetkebohle / 21st Century Digital Boy
> 
> its easy to stop using Perl: I do it after every project
> 


Nico
--





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []