On Fri, Aug 25, 2000 at 08:46:10PM -0700, Andrew Morgan wrote: > Nicolas Williams wrote: > > I now think that PAM binary prompts could certainly be used to handle > > GSS-API and anything else such as raw Kerberos, SRP and so on. > > I think binary prompts are not quite the complete solution. We also need > some event driven model for supporting ticket expiration/renewal but I > agree with this sentiment. Well, sortof. If the service already knows what kind of authentication type will be used before calling pam_authenticate(), then there's no need for an event system. BTW, I've read the event thread and have some thoughts to share on that. Here's some thoughts on the event system: - have a PAM event type and a pam_raise() function for raising those events. Thus, the PAM app might wait only on creds expiration and session exit events, which would be PAM events raised by handlers for raw system events, such as signals, file descriptor data, etc... - allow the PAM app to provide its own registration callback function so PAM's system can play nice with any event system the app may already have - signals are NOT that hard to handle; the app just has to cooperate a bit. As long as PAM and the app remember the current signal handler for any signal when installing their own, and as long as both can deal with spurious signals all should be ok. Well, yes, I know, the app and PAM would have to have the same preferences for syscall interruption settings, alternate stacks and so on I'll share more sometime next week. My son was born this morning, so I'll tune out for some time (don't tell my wife I got on the Net today! :) > Perhaps you'ld like to write out a typical event loop for gss type > authentication and ticket renewal? That should help indentify where PAM > is lacking at present. Well, GSS-API auth is synchronous, so events aren't really needed here. > > Notice that GSS-API binary prompts don't seems to fit any of the > > currently allocated binary prompt control characters. This is an area > > that might need work to make this approach possible. > > Perhaps you could include details here too? I will, late next week. > Thanks > > Andrew > Thanks, Nico --
