From owner-freebsd-hackers  Tue Mar 10 17:24:11 1998
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id RAA20068
          for freebsd-hackers-outgoing; Tue, 10 Mar 1998 17:24:11 -0800 (PST)
          (envelope-from owner-freebsd-hackers@FreeBSD.ORG)
Received: from dingo.cdrom.com (dingo.cdrom.com [204.216.28.145])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA19646;
          Tue, 10 Mar 1998 17:22:03 -0800 (PST)
          (envelope-from mike@dingo.cdrom.com)
Received: from dingo.cdrom.com (localhost [127.0.0.1])
	by dingo.cdrom.com (8.8.8/8.8.5) with ESMTP id RAA20969;
	Tue, 10 Mar 1998 17:17:58 -0800 (PST)
Message-Id: <199803110117.RAA20969@dingo.cdrom.com>
X-Mailer: exmh version 2.0zeta 7/24/97
To: Robert Watson <robert+freebsd@cyrus.watson.org>
cc: Mike Smith <mike@smith.net.au>, Mark Mayo <mark@vmunix.com>,
        Andrzej Bialecki <abial@nask.pl>, tcobb@staff.circle.net,
        hackers@FreeBSD.ORG, msmith@FreeBSD.ORG
Subject: Re: PAM? 
In-reply-to: Your message of "Tue, 10 Mar 1998 19:57:25 EST."
             <Pine.BSF.3.96.980310195242.17362H-100000@trojanhorse.pr.watson.org> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Tue, 10 Mar 1998 17:17:57 -0800
From: Mike Smith <mike@smith.net.au>
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> On Tue, 10 Mar 1998, Mike Smith wrote:
> 
> One possibility is to use Kerberos as a possible alternative to PAM itself
> -- any authentication system that uses a shared secret (SecurID might fit
> into that if the server can predict the secret ahead of time -- I'm not
> familiar with SecurID) can be patched into the Kerberos server.  Now any
> code compiled to support Kerberos supports (shared secret authentication
> method of choice). 

Actually, that's not where PAM fits in at all.

Pam is, as its name suggests, a standardised modular framework within 
an application which allows the use of multiple authentication 
techniques, one of which may be Kerberos.

One of the features of the framework is that it separates the 
configuration of authentication policy from the implementation.  Thus, 
it is practical to 'stack' authentications in a primitive fashion.

On the other hand, PAM has a numer of serious drawbacks in the design of
the interface between the application and the framework, which make 
generalised PAMification of many common applications extremely tedious.
At least part of the problem is that PAM was meant to be integrated in 
the perimeter security of the XSSO model, rather than in the piecemeal 
fashion it is currently deployed.

-- 
\\  Sometimes you're ahead,       \\  Mike Smith
\\  sometimes you're behind.      \\  mike@smith.net.au
\\  The race is long, and in the  \\  msmith@freebsd.org
\\  end it's only with yourself.  \\  msmith@cdrom.com



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message