Date: Sat, 17 Feb 2001 23:19:46 +0000 (GMT) From: Terry Lambert <tlambert@primenet.com> To: n@nectar.com (Jacques A. Vidrine) Cc: arch@freebsd.org Subject: GSS-API and PAM (was list 'o things) Message-ID: <200102172319.QAA11294@usr05.primenet.com> In-Reply-To: <20010217085622.A37238@spawn.nectar.com> from "Jacques A. Vidrine" at Feb 17, 2001 08:56:22 AM
next in thread | previous in thread | raw e-mail | index | archive | help
> PAM does not and cannot provide the same functionality as the Kerberos > API, GSS-API or SASL. PAM is targetted at interactive authentication -- > give it a username and password, and return yes/no indicating > authentication success or failure [1]. Once authentication is done, PAM > is no longer involved (except for a possible clean-up when we log out -- > though this is commonly not implemented). Please see either of: http://www.opengroup.org/onlinepubs/008329799/ http://www.kernel.org/pub/linux/libs/pam/pre/doc/xsso.ps.gz for the XSSO (X/Open Single Sign On service) PAM documentation. In particular, please look at the PAM API and SPI, and at the session management functions and session management module functions. > The other mechanisms (particularly Kerberos and GSS-API) do not concern > themselves with initial authentication, but rather with handling the > secure transfer of data between applications, including encryption and > credential forwarding and such. PAM concerns itself with five different types of service modules: Authentication (which is the one you were talking about), account management, session management, and mapping. It's true that Linux does not implement GSS-API and PAM integration, but it _is_ possible to put one under the other. > So, to repeat: PAM and GSS-API are orthogonal. One is not going to > ``take over completely'' at the expense of the other. Even SASL and > GSS-API don't exactly compete -- to an extent, SASL is layered over > GSS-API. It was my impression that XSSO had extended PAM to the point that it incorporates GSS-API functionality; yeah, I know it's not RFC 15xx compliant, but it doesn't really matter: it's a defacto standard. > Further, Kerberos is not the only way to get security and encryption > with, say, TELNET. Other GSS-API implementations can be plugged in > quite easily, such as X.509/SSL or DCE. (We have OpenSSL in the base > now -- it probably makes sense to add this support to these daemons at > some point.) Yes. RSA is specifically mentioned as a Kerberos option for GSS-API, in the original documents. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200102172319.QAA11294>