[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PAM vs GSSAPI?
|
From: |
Ashwin Ganti |
|
Subject: |
Re: PAM vs GSSAPI? |
|
Date: |
Sat, 17 Mar 2007 21:06:11 -0500 |
Hello Ashwin! From what you describe, I think you'll need to
implement both PAM and GSS-API support for your security mechanism.
The reason is that PAM and GSS-API are two quite different things.
They are not two solutions to the same problem.
Would PAM in someway need to interact with GSSAPI or can the security
mechanism be directly implemented in a PAM module ?
You'll need PAM for local host-login to the system. If your security
mechanism can verify passwords, having a PAM mechanism will solve the
problem for ssh servers too.
does this mean that ssh uses pam based authentication...if i am not
mistaken openssh has gssapi support in that too...not sure which one
is being used now..
You'll need to write a GSS-API mechanism for NFS and SSH, especially
if your security mechanism is not based on passwords. Fortunately,
both NFS and SSH support GSS-API, but for some other protocols (e.g.,
TLS or EAP) you'll have add support for your security mechanism
directly since there is no standard way to use a GSS-API mechanism in
those protocols.
as of now I am more concerned with getting this working with SSH and
NFS...so from your comment I think GSSAPI should solve my immediate
problem...
I hope this helps. If you want write your GSS-API mechanism and ship
it with GNU GSS, that would be a welcome contribution! The intention
is that GNU GSS should be a flexible plugin-architecture for all kinds
of GSS-API mechanisms. I have thought about a dlopen() approach,
which would allow you to hook into GNU GSS at run-time, without having
a link-dependency between GNU GSS and your project, which sometimes
(especially when packaging the both projects for Debian etc) can be
beneficial.
Thanks a lot for the information Simon.I would love to have this ship
with GNU-GSS but I guess there is still a long way for me to go in
implementing this. I still need to fully understand the internals of
GSSAPI before I have this ready.
I shall get back with further queries if I have any , once I start the
implementation.
/Simon
--
Impossibility is a relative concept
- PAM vs GSSAPI?, Ashwin Ganti, 2007/03/16
- Re: PAM vs GSSAPI?, Simon Josefsson, 2007/03/17
- Re: PAM vs GSSAPI?,
Ashwin Ganti <=
- Re: PAM vs GSSAPI?, Simon Josefsson, 2007/03/20
- Re: PAM vs GSSAPI?, Ashwin Ganti, 2007/03/20
- Re: PAM vs GSSAPI?, Simon Josefsson, 2007/03/20
- Re: PAM vs GSSAPI?, Simon Josefsson, 2007/03/20
- Re: PAM vs GSSAPI?, Ashwin Ganti, 2007/03/20
- Re: PAM vs GSSAPI?, Simon Josefsson, 2007/03/21
- Re: PAM vs GSSAPI?, Russ Allbery, 2007/03/20
- Re: PAM vs GSSAPI?, Simon Josefsson, 2007/03/21
- Re: PAM vs GSSAPI?, Russ Allbery, 2007/03/21
- Re: PAM vs GSSAPI?, Simon Josefsson, 2007/03/22