Date: Sat, 17 Feb 2001 10:22:56 -0500 (EST) From: Robert Watson <rwatson@FreeBSD.ORG> To: "Jacques A. Vidrine" <n@nectar.com> Cc: Matt Dillon <dillon@earth.backplane.com>, Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>, Dag-Erling Smorgrav <des@ofug.org>, Mark Murray <mark@grondar.za>, arch@FreeBSD.ORG Subject: Re: Summary of List of things to move from main tree to ports Message-ID: <Pine.NEB.3.96L.1010217102030.59690I-100000@fledge.watson.org> In-Reply-To: <20010217085622.A37238@spawn.nectar.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 17 Feb 2001, Jacques A. Vidrine wrote:
> PAM does not and cannot provide the same functionality as the Kerberos
> API, GSS-API or SASL. PAM is targetted at interactive authentication --
> give it a username and password, and return yes/no indicating
> authentication success or failure [1]. Once authentication is done, PAM
> is no longer involved (except for a possible clean-up when we log out --
> though this is commonly not implemented).
Generally speaking, I agree with your statements on the relationships
between GSS-API, SASL, PAM, et al, except with regards to your summary of
PAM. There are actually additional things that PAM can be involved in,
including the setup and tear-down of sessions, login authorization,
management of local credentials, and accounting. That said, we don't do
most of these with PAM {yet, right now}, but we should be moving in that
direction. Especially given that our pam manpage claims that we do :-).
Robert N M Watson FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org NAI Labs, Safeport Network Services
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1010217102030.59690I-100000>