Date: Thu, 04 Dec 2003 09:22:05 -0600 From: Jacques Vidrine <nectar@freebsd.org> To: Terry Lambert <tlambert2@mindspring.com> Cc: freebsd-current@freebsd.org Subject: Re: NSS and PAM Message-ID: <3FCF511D.1070300@freebsd.org> In-Reply-To: <3FCF36ED.9E1BEBC8@mindspring.com> References: <20031129011334.GC88553@madman.celabo.org> <xzpbrqw7xsb.fsf@dwp.des.no> <20031201142737.GC99428@madman.celabo.org> <xzp7k1geb6x.fsf@dwp.des.no> <20031201175925.GC244@madman.celabo.org> <3FCF36ED.9E1BEBC8@mindspring.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Terry Lambert said the following on 12/4/03 7:30 AM: > The main issue that most people have missed so far in this whole > discussion is that there are three perpendicular axis, not simply > a single axis (or simply two of them, for people lik you, who've > understood the difference between the first two, but missed the > third). I didn't miss anything; we're talking about NSS and PAM, which together only encompass the first two. [...] > The problem that DES points out is real; PAM is really too stupid > to handle the updating procss alone, and hasn't added the necessary > interfaces to correct the problem. It indeed includes an interface for updating one's `authentication token' (in most or maybe all cases that PAM supports, a password). > There was a very interesting > discussion of this issue with one of the main designers of the PAM > protocol that took place at one of the Silicon Valley get-togethers > hosted by the Netscape offices; the upshot of it was that Sun would > never be correcting the issue in an updated version of PAM in order > to be able to properly support Kerberos. Terry, you are confused. You are talking about something completely different, which is the fact that PAM will never be able to handle network authentication protocols itself, but only simple password-like mechanisms. Every so often you like to bring up that you were present at this meeting for some reason, but it sometimes seems like you weren't paying full attention. >>Of course this won't work for certain legacy, read-mostly >>`authentication methods' such as NIS or Hesiod that aren't supported >>by PAM. > > Kerberos has a similar problem. No, it doesn't. NIS and Hesiod have no protocol for updating one's password. Kerberos does, as do many other mechanisms which PAM supports. > PAM assumes that there is not a > requirement for a covert channel in order to update data in the > data store that's used for the purposes of authenticating identity > in order to authorize granting of rights. [...] PAM makes no such assumptions, although certain modules may if they are poorly written. Cheers, -- Jacques Vidrine NTT/Verio SME FreeBSD UNIX Heimdal nectar@celabo.org jvidrine@verio.net nectar@freebsd.org nectar@kth.se
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3FCF511D.1070300>