From owner-freebsd-arch  Wed May 30  1:36:30 2001
Delivered-To: freebsd-arch@freebsd.org
Received: from granger.mail.mindspring.net (granger.mail.mindspring.net [207.69.200.148])
	by hub.freebsd.org (Postfix) with ESMTP id 9F45F37B422
	for <arch@FreeBSD.ORG>; Wed, 30 May 2001 01:36:27 -0700 (PDT)
	(envelope-from tlambert2@mindspring.com)
Received: from mindspring.com (pool0246.cvx7-bradley.dialup.earthlink.net [209.178.164.246])
	by granger.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id EAA26251;
	Wed, 30 May 2001 04:35:59 -0400 (EDT)
Message-ID: <3B14B109.C08F1970@mindspring.com>
Date: Wed, 30 May 2001 01:36:25 -0700
From: Terry Lambert <tlambert2@mindspring.com>
Reply-To: tlambert2@mindspring.com
X-Mailer: Mozilla 4.7 [en]C-CCK-MCD {Sony}  (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Sheldon Hearn <sheldonh@starjuice.net>
Cc: Mark Murray <mark@grondar.za>, arch@FreeBSD.ORG
Subject: Re: PAM, S/Key and authentication schemes.
References: <89661.990794824@axl.fw.uunet.co.za>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-arch@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-arch.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-arch>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-arch>
X-Loop: FreeBSD.ORG

Sheldon Hearn wrote:
> On Fri, 25 May 2001 14:42:40 +0200, Mark Murray wrote:
> > I have already tested this on my home cluster with su(1) (I just
> > made su a PAM-only thing), and this makes the code a whole lot
> > simpler. Simpler code == safer code.
> 
> I think that the real win here is that we come out with a
> FreeBSD that uses a flexible authentication management system
> that requires once-off learning that can then be applied to
> the configuration of policies for multiple tools.
> 
> Of course there are other benefits.  One is the ease of
> implementation of new authentication schemes that, once
> deployed, are immediately available in all the appropraite
> tools).
> 
> I think where you're going with this is excellent.  What's
> your anticipated time frame for getting what we have today
> rationalized?

We talked to the Sun guy who came up with PAM at the last
FreeBSD user's group meeting, in Foster City, CA, last
month.

The PAM API, as it currently sits, is incapable of correctly
supporting Kerberos, and several other authentication schemes.

Apparently, the only way to fix this is to change the PAM API.

-- Terry

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message