[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: XSSO? How to communicate to XSSO/PAM external authentication info?

Nicolas Williams wrote:
> For now, I would be happy if we can come to an agreement on the
> feasibility and utility of using PAM binary prompts to move GSS-API
> handling from the PAM app to a PAM module as discussed so far.
> We'll probably need to poke some more holes in this proposal. Ingo, for
> example, noticed the problem that the PAM app has to be able to get at
> the GSS context after pam_authenticate() returns (easy to solve). And I
> think that the binary prompt control character, as it stands, won't do.
> I should post a complete flow description of how this would work.
> Once this can be made to work (we'll need a prototype, probably) we can
> then extend the approach to authentication negotiation, which, I think,
> is doable.

That was triggered in my mind is that -- this all stuff, while quite
useful at administrator's point of view, seemed to be way too complex
in application level.  And there will be tons of incompatibilities
between pam modules and particular applications around this.

Complecety is not a good thing in respect of security...

As far as I see, PAM lacks one feature that almost required to
be present for some sort of protocols -- the ability of
_application_ to ask pam about something, not from pam to
application (over direction opposite to conversation function).
This can't be implemented in current infrastructure --
concepts should be changed for this to work.
The point here is that many (most?) network protocols just
can't work with pam model by design (ok, can't work _well_),
and examples are trivial -- just plain ftp/pop shows that
nicely.  One little thought -- maybe we should think in
other direction -- i.e. correcting _protocols_ so that them
will work nicely with one centralized/well-managed "AAA"
infrastructure? :^8 (read: _BIG_ funny smailik here!)
With proposed approach, will currently trivial applications
(like pop/ftp for example) be just too fat and complex and
_unmanageable_ from administrator's view (incompats between
modules, separate set of modules for each protocol etc)
so that the whole picture will be just a nightmare?

I'm not shure about this...


> Nico

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []