Come on, someone on this list must know something about XSSO. Heck, there's even stubs in LinuxPAM for XSSO extensions. I can see the use of pam_authenticate_secondary() and pam_get_mapped_* and so on, but that's for tasks such as getting Kerberos tickets when Kerberos isn't your primary form of authentication. I think something like, say, pam_gss_authenticated() is needed. It's arguments would be a PAM handle, a GSS mechanism OID (gss_OID_desc), a GSS QoP OID and a principal name (gss_name_t). Applications that use Kerberos directly instead of GSS-API could still use pam_gss_authenticated() by converting the KRB5 principal name into a gss_name_t and by getting the relevant OIDs. Nico On Mon, Aug 21, 2000 at 03:48:31PM -0400, Nicolas Williams wrote: > > So, I've been looking at XSSO [*], the X/Open PAM-based single sign-on > spec. I like their pretty SSO pictures, and particularly the one where > an application uses GSS-API to authenticate to a remote service which > then uses XSSO to validate the client. > > I'm looking for how such a service would use XXSO (PAM) in that case. It > doesn't seem like there is an API for informing XSSO of the GSS-API > authentication information (mechanism(s), client principal(s)) so XSSO > can correctly authenticate and authorize the client. > > Can someone enlighten me as to the above? > > [*] http://www.opengroup.org/pubs/catalog/p702.htm > > Thanks, > > Nico > -- > > . --
