From owner-freebsd-current@FreeBSD.ORG Thu Dec 4 07:22:21 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1265716A4CE for ; Thu, 4 Dec 2003 07:22:21 -0800 (PST) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 713E643FCB for ; Thu, 4 Dec 2003 07:22:17 -0800 (PST) (envelope-from nectar@freebsd.org) Received: from localhost (localhost [127.0.0.1]) by gw.celabo.org (Postfix) with ESMTP id ECC305482B; Thu, 4 Dec 2003 09:22:16 -0600 (CST) Received: from gw.celabo.org ([127.0.0.1]) by localhost (hellblazer.celabo.org [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 80478-03; Thu, 4 Dec 2003 09:22:06 -0600 (CST) Received: from lum.celabo.org (ofc-fw.sterling.verio.net [161.58.128.247]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (Client CN "lum.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 1F7E8548A3; Thu, 4 Dec 2003 09:22:06 -0600 (CST) Received: from freebsd.org (localhost [127.0.0.1]) by lum.celabo.org (Postfix) with ESMTP id BC0EA150619; Thu, 4 Dec 2003 09:22:05 -0600 (CST) Message-ID: <3FCF511D.1070300@freebsd.org> Date: Thu, 04 Dec 2003 09:22:05 -0600 From: Jacques Vidrine User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.6b) Gecko/20031202 Thunderbird/0.4RC1 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Terry Lambert References: <20031129011334.GC88553@madman.celabo.org> <20031201142737.GC99428@madman.celabo.org> <20031201175925.GC244@madman.celabo.org> <3FCF36ED.9E1BEBC8@mindspring.com> In-Reply-To: <3FCF36ED.9E1BEBC8@mindspring.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-current@freebsd.org Subject: Re: NSS and PAM X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Dec 2003 15:22:21 -0000 Terry Lambert said the following on 12/4/03 7:30 AM: > The main issue that most people have missed so far in this whole > discussion is that there are three perpendicular axis, not simply > a single axis (or simply two of them, for people lik you, who've > understood the difference between the first two, but missed the > third). I didn't miss anything; we're talking about NSS and PAM, which together only encompass the first two. [...] > The problem that DES points out is real; PAM is really too stupid > to handle the updating procss alone, and hasn't added the necessary > interfaces to correct the problem. It indeed includes an interface for updating one's `authentication token' (in most or maybe all cases that PAM supports, a password). > There was a very interesting > discussion of this issue with one of the main designers of the PAM > protocol that took place at one of the Silicon Valley get-togethers > hosted by the Netscape offices; the upshot of it was that Sun would > never be correcting the issue in an updated version of PAM in order > to be able to properly support Kerberos. Terry, you are confused. You are talking about something completely different, which is the fact that PAM will never be able to handle network authentication protocols itself, but only simple password-like mechanisms. Every so often you like to bring up that you were present at this meeting for some reason, but it sometimes seems like you weren't paying full attention. >>Of course this won't work for certain legacy, read-mostly >>`authentication methods' such as NIS or Hesiod that aren't supported >>by PAM. > > Kerberos has a similar problem. No, it doesn't. NIS and Hesiod have no protocol for updating one's password. Kerberos does, as do many other mechanisms which PAM supports. > PAM assumes that there is not a > requirement for a covert channel in order to update data in the > data store that's used for the purposes of authenticating identity > in order to authorize granting of rights. [...] PAM makes no such assumptions, although certain modules may if they are poorly written. Cheers, -- Jacques Vidrine NTT/Verio SME FreeBSD UNIX Heimdal nectar@celabo.org jvidrine@verio.net nectar@freebsd.org nectar@kth.se