[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: XSSO? How to communicate to XSSO/PAM external authentication info?



On Sun, Aug 27, 2000 at 01:09:25AM +0200, Ingo Luetkebohle wrote:
> On Thu, Aug 24, 2000 at 05:04:02PM -0700, Andrew Morgan wrote:
> > Before we go there. Is there any reason why we couldn't pursue the idea
> > of implementing GSS's authentication in a PAM module?
> 
> Maybe because GSSAPI and PAM do essentially the same thing, in
> different ways? Only things that are orthogonal integrate easily, but
> GSSAPI and PAM aren't.
> 
> -- 
> Ingo Luetkebohle / 21st Century Digital Boy
> 
> its easy to stop using Perl: I do it after every project
> 

Please read the other recent posts by me on this topic.

To summarize: PAM offers authentication, [coarse] authorization, session
management, etc... GSS-API only does authentication, yet the parameters
involved in GSS auth (e.g., mechanism(s), client principal name(s), QoP)
are worth knowing about in PAM so pam_acct_mgmt can make useful
decisions based on those. Initially I did not propose tight integration
between GSS-API and PAM (heck, I was sceptical of such a proposal by
Andrew), but Andrew changed my mind.

Now that I see that PAM binary prompts can allow integration of the two
things I also see that programs that support GSS-API might also be
simpler if the GSS stuff is moved to PAM. Why? Because all the
programmer would have to do is provide a binary conversation function
and use PAM as normal, letting pam_authenticate() and the conversation
function do all the work. Reuse would certainly be promoted if you
integrate PAM and GSS-API; and mind you, we're not talking about
integration really, but about how a service, PAM and a module for doing
GSS-API authentication would interact.

As I think about it I am more and more convinced that this is useful. I
could be wrong. :)

Nico
--





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []