From owner-freebsd-current@FreeBSD.ORG Mon Dec 1 21:15:38 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC80116A4CE for ; Mon, 1 Dec 2003 21:15:38 -0800 (PST) Received: from bache.ece.cmu.edu (BACHE.ECE.CMU.EDU [128.2.129.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id AD59A43F3F for ; Mon, 1 Dec 2003 21:15:37 -0800 (PST) (envelope-from allbery@ece.cmu.edu) Received: by bache.ece.cmu.edu (Postfix, from userid 953) id 0AD0CB8; Tue, 2 Dec 2003 00:15:37 -0500 (EST) Received: from [128.2.138.33] (VPN33.ECE.CMU.EDU [128.2.138.33]) by bache.ece.cmu.edu (Postfix) with ESMTP id C2371B6; Tue, 2 Dec 2003 00:15:03 -0500 (EST) From: "Brandon S. Allbery KF8NH" To: kientzle@acm.org In-Reply-To: <3FCBF7D9.10609@acm.org> References: <20031129011334.GC88553@madman.celabo.org> <20031201142737.GC99428@madman.celabo.org> <20031201175925.GC244@madman.celabo.org> <200312012250.hB1MoCMZ081007@khavrinen.lcs.mit.edu> <3FCBF7D9.10609@acm.org> Content-Type: text/plain Message-Id: <1070342062.45378.14.camel@pyanfar.ece.cmu.edu> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 Date: Tue, 02 Dec 2003 00:14:22 -0500 Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=-35.6 required=5.0 tests=BAYES_01,EMAIL_ATTRIBUTION,IN_REP_TO,REFERENCES, REPLY_WITH_QUOTES,USER_AGENT_XIMIAN autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) cc: Dag-Erling =?ISO-8859-1?Q?Sm=F8rgrav?= cc: freebsd-current@freebsd.org cc: Garrett Wollman Subject: Re: NSS and PAM X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Dec 2003 05:15:39 -0000 On Mon, 2003-12-01 at 21:24, Tim Kientzle wrote: > Why is the directory "usually the worst" for storing > authentication information? This one's fairly easy to answer: you want to stick authentication data into a potentially public/exposed directory? Even traditional Unix uses /etc/shadow (or more complex solutions on some commercial systems) these days, so the password isn't in the "directory" (/etc/passwd). However, I have to agree with des's argument: a combined matrix for directory and authentication services doesn't mean the *data* must be combined. Using (for example) SIA, one could specify Kerberos 5 (my guess as to wollman's "better answer") and LDAP, and simply not specify entry points for the parts that each doesn't handle (Kerberos doesn't support directory services, and LDAP isn't being used for authentication), with later entries falling back to NIS or traditional files. But this arrangement allows traditional APIs to work reasonably --- and you can layer PAM and NSS on top of it as compatibility APIs. -- brandon s. allbery [linux,solaris,freebsd,perl] allbery@kf8nh.com system administrator [WAY too many hats] allbery@ece.cmu.edu electrical and computer engineering, carnegie mellon univ. KF8NH