[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: XSSO? How to communicate to XSSO/PAM external authentication info?

On Mon, Aug 28, 2000 at 11:14:50AM -0400, Nicolas Williams wrote:
> For now, I would be happy if we can come to an agreement on the
> feasibility and utility of using PAM binary prompts to move GSS-API
> handling from the PAM app to a PAM module as discussed so far.
> We'll probably need to poke some more holes in this proposal. Ingo, for
> example, noticed the problem that the PAM app has to be able to get at
> the GSS context after pam_authenticate() returns (easy to solve).

Taking these two paragraphs together with your original post, you want:
	1) use GSSAPI information in the PAM authorization stage
	2) use GSSAPI calls for later cryptographic processing in the

So the goal is obviously not to remove the necessity of GSSAPI

It would seem to me that the far easier approach would be to cut PAM
into pieces, one for the authentication, one for authorization and one
for accounting. That should make it possible easily to use PAM's
authorization steps together with GSSAPI authentication -- just
populate the PAM information struct from GSSAPI (through the
gss_inquire_cred and gss_inquire_context calls) and then call
pam_acct_mgmt, for example. I'm not sure, yet, but this might even be
doable without any modification to PAM at all. All that needs to be
written is a transfer-function.

Thats incidently what I aimed at with my earlier mention of the
conceptual seperation between these stages: If, like PAM does, you
lump it all together you'll always run into the kind of integration
problems like the one we spent quite some mals about. If, instead, you
have it in pieces, you can easily integrate it by sticking parts

Ingo Luetkebohle / 21st Century Digital Boy

its easy to stop using Perl: I do it after every project

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []