Date: Tue, 02 Dec 2003 00:14:22 -0500 From: "Brandon S. Allbery KF8NH" <allbery@ece.cmu.edu> To: kientzle@acm.org Cc: Garrett Wollman <wollman@khavrinen.lcs.mit.edu> Subject: Re: NSS and PAM Message-ID: <1070342062.45378.14.camel@pyanfar.ece.cmu.edu> In-Reply-To: <3FCBF7D9.10609@acm.org> References: <20031129011334.GC88553@madman.celabo.org> <20031201142737.GC99428@madman.celabo.org> <20031201175925.GC244@madman.celabo.org> <xzpvfp0ch1z.fsf@dwp.des.no> <200312012250.hB1MoCMZ081007@khavrinen.lcs.mit.edu> <3FCBF7D9.10609@acm.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 2003-12-01 at 21:24, Tim Kientzle wrote: > Why is the directory "usually the worst" for storing > authentication information? This one's fairly easy to answer: you want to stick authentication data into a potentially public/exposed directory? Even traditional Unix uses /etc/shadow (or more complex solutions on some commercial systems) these days, so the password isn't in the "directory" (/etc/passwd). However, I have to agree with des's argument: a combined matrix for directory and authentication services doesn't mean the *data* must be combined. Using (for example) SIA, one could specify Kerberos 5 (my guess as to wollman's "better answer") and LDAP, and simply not specify entry points for the parts that each doesn't handle (Kerberos doesn't support directory services, and LDAP isn't being used for authentication), with later entries falling back to NIS or traditional files. But this arrangement allows traditional APIs to work reasonably --- and you can layer PAM and NSS on top of it as compatibility APIs. -- brandon s. allbery [linux,solaris,freebsd,perl] allbery@kf8nh.com system administrator [WAY too many hats] allbery@ece.cmu.edu electrical and computer engineering, carnegie mellon univ. KF8NH
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1070342062.45378.14.camel>