[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: XSSO? How to communicate to XSSO/PAM external authenticationinfo?

ok, i looked up SPNEGO on google.com, and came up with this:
draft-ietf-cat-snego-09.txt, which can also be found with google.com on
the ietf site.

can i recommend that people examine this text.  it provides a means for
the Simple, Protected NEGOtiation of GSSAPI.

i think that the way it works is that, instead of saying, with GSSAPI "hi,
mr server, we're going to use _this_ security method today", at which
point the server tells the client to get lost, it says:

"hi mr server, i'd like you to tell me what security mechanisms you

and then the client chooses one.

and _then_ you use GSSAPI from then on.

> > > Adapting an app to use GSS-API generally requires protocol and code
> > > changes.

why adapt the application?  why not just have the PAM module that the app
uses provide the authentication?

_if_ the app _does_ in fact require GSS-API-auth/etc., _then_ it can call
pam_gss_xxxx etc() _but_:

it should _not_ be a mandatory requirement for an app that uses
gss-api-enabled-PAM modules to _have_ to be aware of that fact.

this provides an upgrade path, just like what PAM provided in the first

authentication and encryption should _not_ be an application's job, it
should be PAM's job.

PAM should be flexible enough to negotiate _any_ current and future
authentication scheme.

PAM should provide a means by which the authentication and encryption
level _can_ be:

1) passed through, such that _if_ the authentication mechanisms provides
an "impersonation" method, an application can *securely* contact *further*
applications using "impersonation", and WITHOUT the application having to
worry about the details.

Kerberos-5 is such a security mechanism that allows "impersonation".

2) queried to ensure minimum or maximum levels of security.

regarding 1), i think that the proposal of "binary" prompts is a means
being considered to provide effective "pass-through" mechanisms, yes, or

in other words, a PAM-enabled application has been activated by a user
login.  the password is NOT, repeat, NOT available to the application.
however, the PAM-enabled application wishes to activate, or use, _another_
PAM-enabled application.  however, there is currently _no_ method to do
this, using PAM, because PAM requires the user-password as input.

uh-oh :)

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []