Date: Wed, 4 Sep 2013 14:20:12 +0400 From: Lev Serebryakov <lev@FreeBSD.org> To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> Cc: freebsd-security@FreeBSD.org, Slawa Olhovchenkov <slw@zxy.spb.ru> Subject: Re: OpenSSH, PAM and kerberos Message-ID: <1943226951.20130904142012@serebryakov.spb.ru> In-Reply-To: <86mwnuszag.fsf@nine.des.no> References: <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <20130903095316.GH3796@zxy.spb.ru> <86li3euovr.fsf@nine.des.no> <20130903115050.GJ3796@zxy.spb.ru> <864na2ujh7.fsf@nine.des.no> <20130903142205.GL3796@zxy.spb.ru> <86mwnuszag.fsf@nine.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, Dag-Erling. You wrote 3 =D1=81=D0=B5=D0=BD=D1=82=D1=8F=D0=B1=D1=80=D1=8F 2013 =D0=B3., = 19:25:11: DES> I am *not* proposing to move PAM into a daemon. I am proposing DES> something completely new. I thought I made that clear. I totally agree with Dmitry Morozovsky's words, so, please, don't read my words as arguing with you, but rather as questions I try to write some short list of requirements to this completely new solution, where am I wrong? I'm sure, I am, but, where? Thank you. (1) It should support loadable backends from very beginning, or we will end with NSS-like hacks and kludges (yes, I'm totally agree with you, that NSS is ugly hack). (2) It should run most of backends with dropped privileges -- you don't need to be "root" to connect to LDAP or KRB server, for example, and better do this from restricted account. (3) It should be able to run SOME PARTS of SOME backends with super-user privileges, as one of backends should be able to read system password (shadow) file, as we want to support good old /etc/master.passwd. pam_ssh-like backend need to read user's private key, too. (4) It should support "partial" backends, which doesn't support all AAA functions. One backend could be used only for authentication (like pam_ssh) and other for identity management (like LDAP without authorization). So, complete feature set could be obtained from SET of backends, not only one backend in time (it looks hard to do properly and flexible enough). (5) It should be able to run some backends parts (callbacks?) after switching privileges to authenticated user. For example, kerberos backed should be able to store credentials file in user home directory with user access rights. Backends should be able to communicate to core of daemon to specify which parts should be run with which privileges. Again, it doesn't look easy to do properly. (6) It should provide channel for backend to pass any information from one privilege domain to other one, as kerberos backend should be able to pass ticket from restricted domain (where kerberos protocol is implemented) to user or superuser domain (to store in file in user direcotory). (7) It should provide some API for challenge-response like converstation with user. (8) It should provide some API for session tracking for accounting and some way for backends to clean-up at session end (it is most questionable part, IMHO, as it hard to do without zillions of sleeping processes when users are logged-in). (9) "old" API should be mapped to this daemon, instead of NSS, as we have multitude programs in ports, which doesn't know about this new API (ouch, I don't like this part). (10) Many backends should be re-implemented from NSS or PAM API (and I don't like this one too). Generic wrappers for NSS and/or PAM modules looks complicated and, again, is the same "crap" as NSS and PAM themselves. --=20 // Black Lion AKA Lev Serebryakov <lev@FreeBSD.org>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1943226951.20130904142012>