Date: Tue, 10 Mar 1998 17:17:57 -0800 From: Mike Smith <mike@smith.net.au> To: Robert Watson <robert+freebsd@cyrus.watson.org> Cc: Mike Smith <mike@smith.net.au>, Mark Mayo <mark@vmunix.com>, Andrzej Bialecki <abial@nask.pl>, tcobb@staff.circle.net, hackers@FreeBSD.ORG, msmith@FreeBSD.ORG Subject: Re: PAM? Message-ID: <199803110117.RAA20969@dingo.cdrom.com> In-Reply-To: Your message of "Tue, 10 Mar 1998 19:57:25 EST." <Pine.BSF.3.96.980310195242.17362H-100000@trojanhorse.pr.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Tue, 10 Mar 1998, Mike Smith wrote: > > One possibility is to use Kerberos as a possible alternative to PAM itself > -- any authentication system that uses a shared secret (SecurID might fit > into that if the server can predict the secret ahead of time -- I'm not > familiar with SecurID) can be patched into the Kerberos server. Now any > code compiled to support Kerberos supports (shared secret authentication > method of choice). Actually, that's not where PAM fits in at all. Pam is, as its name suggests, a standardised modular framework within an application which allows the use of multiple authentication techniques, one of which may be Kerberos. One of the features of the framework is that it separates the configuration of authentication policy from the implementation. Thus, it is practical to 'stack' authentications in a primitive fashion. On the other hand, PAM has a numer of serious drawbacks in the design of the interface between the application and the framework, which make generalised PAMification of many common applications extremely tedious. At least part of the problem is that PAM was meant to be integrated in the perimeter security of the XSSO model, rather than in the piecemeal fashion it is currently deployed. -- \\ Sometimes you're ahead, \\ Mike Smith \\ sometimes you're behind. \\ mike@smith.net.au \\ The race is long, and in the \\ msmith@freebsd.org \\ end it's only with yourself. \\ msmith@cdrom.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199803110117.RAA20969>