Date: Tue, 22 Jan 2002 09:50:11 -0600 From: "Jacques A. Vidrine" <n@nectar.cc> To: Terry Lambert <tlambert2@mindspring.com> Cc: current@FreeBSD.ORG Subject: PAM/Kerberos `integration'? (was Re: Step5, pam_opie OPIE auth fix for review) Message-ID: <20020122155011.GA94467@madman.nectar.cc> In-Reply-To: <3C4C8E69.90DEB78E@mindspring.com> References: <20020120233050.GA26913@nagual.pp.ru> <200201202344.g0KNijt34738@grimreaper.grondar.org> <3C4BC6A0.4078CBA6@mindspring.com> <20020121140516.GB57549@madman.nectar.cc> <3C4C7EA7.66CBFC0D@mindspring.com> <20020121145914.A91420@hellblazer.nectar.cc> <3C4C8E69.90DEB78E@mindspring.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 21, 2002 at 01:55:53PM -0800, Terry Lambert wrote: > "Jacques A. Vidrine" wrote: > > > In the way that the author of the PAM architecture from Sun > > > spoke at the Silicon Valley BSD User's Group meeting, > > > > Do you have a reference, or do we have to guess what you are talking > > about? :-) > > I have my memory of the talk he gave, which included the idea > that Sun was not supporting work to modify the PAM architecture > to support Kerberos in the future. The PAM architecture doesn't need any modifications to support Kerberos. It supports Kerberos today. > Basically, you can use it for authentication and password change, > but for little else, and even those uses require going through > incredible hoops (e.g. abusing the authentication module API to > implement a credential cache). > > Did you need more? I guess so. There are many Kerberos 5 PAM modules in existence today, and they support interactive authentication pretty well. There is even some agreement among the authors of related modules on how the credentials cache can be exported for stacking (e.g. for DCE). I can't imagine what `incredible hoops' or `abuse' you might be talking about. The PAM API already includes entry points specificially for the management of credentials. Put another way, in your first sentence above, what might you mean by `for little else'? > Are you really just fishing for Paul Fronberg's email address? No. I'm probably just wasting my time :-) You have stood up and asked for something, but have not given any indication of what it is you want to accomplish. Curiousity has the better of me. > Maybe this release note from HP will explain the limitations > satisfactorily: > > http://docs.hp.com/hpux/onlinedocs/J5849-90001/J5849-90001.html > > NB: This is just for authentication, mostly preauthentication. These seem to be limitations of HP's pam_krb5 module, not of PAM. And again, it is unclear what limitations you might be concerned about. No account management? Well, that's not Kerberos's job. No credentials management? That's a problem with HP's implementation -- see /usr/ports/security/pam_krb5 or pam_krb5 in our base system (they are closely related) for one way it can be done. Limited preauthentication choices? That has to do with the Kerberos implementation, not PAM. I feel like I'm having my leg pulled. Cheers, -- Jacques A. Vidrine <n@nectar.cc> http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020122155011.GA94467>