From owner-freebsd-arch Sat Feb 17 15:20: 7 2001 Delivered-To: freebsd-arch@freebsd.org Received: from smtp05.primenet.com (smtp05.primenet.com [206.165.6.135]) by hub.freebsd.org (Postfix) with ESMTP id 89DE637B4EC for ; Sat, 17 Feb 2001 15:20:00 -0800 (PST) Received: (from daemon@localhost) by smtp05.primenet.com (8.9.3/8.9.3) id QAA13097; Sat, 17 Feb 2001 16:14:59 -0700 (MST) Received: from usr05.primenet.com(206.165.6.205) via SMTP by smtp05.primenet.com, id smtpdAAAgVaqEz; Sat Feb 17 16:14:50 2001 Received: (from tlambert@localhost) by usr05.primenet.com (8.8.5/8.8.5) id QAA11294; Sat, 17 Feb 2001 16:19:46 -0700 (MST) From: Terry Lambert Message-Id: <200102172319.QAA11294@usr05.primenet.com> Subject: GSS-API and PAM (was list 'o things) To: n@nectar.com (Jacques A. Vidrine) Date: Sat, 17 Feb 2001 23:19:46 +0000 (GMT) Cc: arch@freebsd.org In-Reply-To: <20010217085622.A37238@spawn.nectar.com> from "Jacques A. Vidrine" at Feb 17, 2001 08:56:22 AM X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > PAM does not and cannot provide the same functionality as the Kerberos > API, GSS-API or SASL. PAM is targetted at interactive authentication -- > give it a username and password, and return yes/no indicating > authentication success or failure [1]. Once authentication is done, PAM > is no longer involved (except for a possible clean-up when we log out -- > though this is commonly not implemented). Please see either of: http://www.opengroup.org/onlinepubs/008329799/ http://www.kernel.org/pub/linux/libs/pam/pre/doc/xsso.ps.gz for the XSSO (X/Open Single Sign On service) PAM documentation. In particular, please look at the PAM API and SPI, and at the session management functions and session management module functions. > The other mechanisms (particularly Kerberos and GSS-API) do not concern > themselves with initial authentication, but rather with handling the > secure transfer of data between applications, including encryption and > credential forwarding and such. PAM concerns itself with five different types of service modules: Authentication (which is the one you were talking about), account management, session management, and mapping. It's true that Linux does not implement GSS-API and PAM integration, but it _is_ possible to put one under the other. > So, to repeat: PAM and GSS-API are orthogonal. One is not going to > ``take over completely'' at the expense of the other. Even SASL and > GSS-API don't exactly compete -- to an extent, SASL is layered over > GSS-API. It was my impression that XSSO had extended PAM to the point that it incorporates GSS-API functionality; yeah, I know it's not RFC 15xx compliant, but it doesn't really matter: it's a defacto standard. > Further, Kerberos is not the only way to get security and encryption > with, say, TELNET. Other GSS-API implementations can be plugged in > quite easily, such as X.509/SSL or DCE. (We have OpenSSL in the base > now -- it probably makes sense to add this support to these daemons at > some point.) Yes. RSA is specifically mentioned as a Kerberos option for GSS-API, in the original documents. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message