From owner-freebsd-security@FreeBSD.ORG  Wed Sep  4 13:02:51 2013
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 1CBEAE48;
 Wed,  4 Sep 2013 13:02:51 +0000 (UTC) (envelope-from des@des.no)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
 by mx1.freebsd.org (Postfix) with ESMTP id D061D21CE;
 Wed,  4 Sep 2013 13:02:50 +0000 (UTC)
Received: from nine.des.no (smtp.des.no [194.63.250.102])
 by smtp-int.des.no (Postfix) with ESMTP id CC8F34359;
 Wed,  4 Sep 2013 13:02:49 +0000 (UTC)
Received: by nine.des.no (Postfix, from userid 1001)
 id 5EC8933BB8; Wed,  4 Sep 2013 15:02:21 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Lev Serebryakov <lev@FreeBSD.org>
Subject: Re: OpenSSH, PAM and kerberos
References: <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no>
 <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no>
 <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no>
 <20130903095316.GH3796@zxy.spb.ru> <86li3euovr.fsf@nine.des.no>
 <20130903115050.GJ3796@zxy.spb.ru> <864na2ujh7.fsf@nine.des.no>
 <20130903142205.GL3796@zxy.spb.ru> <86mwnuszag.fsf@nine.des.no>
 <1943226951.20130904142012@serebryakov.spb.ru>
Date: Wed, 04 Sep 2013 15:02:21 +0200
In-Reply-To: <1943226951.20130904142012@serebryakov.spb.ru> (Lev Serebryakov's
 message of "Wed, 4 Sep 2013 14:20:12 +0400")
Message-ID: <86k3iwrb8i.fsf@nine.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-security@FreeBSD.org, Slawa Olhovchenkov <slw@zxy.spb.ru>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Sep 2013 13:02:51 -0000

Lev Serebryakov <lev@FreeBSD.org> writes:
> I try to write some short list of requirements to this completely new
> solution, where am I wrong? I'm sure, I am, but, where? Thank you.

This is a very good list, and very close to what I was thinking.  Some
items, e.g. (1) and (4), seem blindingly obvious to me, but perhaps not
to everybody.

Regarding compatibility: support for the legacy getpw* API is an
absolute requirement.  If we can't achieve that, we can just forget
about the whole thing.  NSS and PAM compatibility, however, would be on
a "best effort" basis.  Allowing existing applications to use the new
framework through NSS and PAM should be fairly easy.  Allowing the new
framework to use existing NSS and PAM modules would be hard, and
probably not worth the effort if we can provide plugins for the most
important backends (LDAP, Kerberos, RADIUS, OATH...) from day one.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no