Date: Thu, 8 Jul 1999 04:23:29 -0400 (EDT) From: Robert Watson <robert@cyrus.watson.org> To: Kris Kennaway <kkennawa@physics.adelaide.edu.au> Cc: Ladavac Marino <mladavac@metropolitan.at>, "'Josef Karthauser'" <joe@pavilion.net>, Brian Somers <brian@awfulhak.org>, Mark Thomas <thomas@clark.net>, freebsd-security@freebsd.org, Wayne Self <wself@cdrom.com> Subject: Re: Credential storage (was RE: userland ppp - startup) Message-ID: <Pine.BSF.3.96.990708042023.17280B-100000@fledge.watson.org> In-Reply-To: <Pine.OSF.4.10.9907081046500.21412-100000@bragg>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 8 Jul 1999, Kris Kennaway wrote: > You know, I wonder if it's time to look at providing a generic > credential storage registry; things like password hashes, PPP shared > secrets, etc, could be stored here instead of in lots of separate files. > > So user account passwords could point to a SHA-1 hash in the registry, > ppp shared secrets would point to an NT and/or LM hash, samba accounts > could have an associated NT/LM hash, etc. More than one hash could be > associated with any given entity. > > The modules which manipulate individual credentials (hashes) would be > pluggable along the lines of PAM. > > What do people think - is this worth pursuing? It is worth pursuing, but my feeling is that we should wait until IPSEC is integrated so we have some idea of the key management requirements there. I'm also tempted to say that this should not be just a system credential management, but part of a general key-management toolkit and authentication package, but that's fairly heavy-weight, and still a topic of open research. :-) The problem is of course that you need to express policies concerning key strength, provide key management functionality, and support more than just hashes and passwords: ideally also public/private key -- perhaps as a back end to sshd. Which brings up certificate management, ... My feeling is we should let all this stuff settle and work with an interim temporary solution without exerting too much effort. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Computing Laboratory at Cambridge University Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.990708042023.17280B-100000>