On Sun, Aug 27, 2000 at 01:09:25AM +0200, Ingo Luetkebohle wrote: > On Thu, Aug 24, 2000 at 05:04:02PM -0700, Andrew Morgan wrote: > > Before we go there. Is there any reason why we couldn't pursue the idea > > of implementing GSS's authentication in a PAM module? > > Maybe because GSSAPI and PAM do essentially the same thing, in > different ways? Only things that are orthogonal integrate easily, but > GSSAPI and PAM aren't. > > -- > Ingo Luetkebohle / 21st Century Digital Boy > > its easy to stop using Perl: I do it after every project > Please read the other recent posts by me on this topic. To summarize: PAM offers authentication, [coarse] authorization, session management, etc... GSS-API only does authentication, yet the parameters involved in GSS auth (e.g., mechanism(s), client principal name(s), QoP) are worth knowing about in PAM so pam_acct_mgmt can make useful decisions based on those. Initially I did not propose tight integration between GSS-API and PAM (heck, I was sceptical of such a proposal by Andrew), but Andrew changed my mind. Now that I see that PAM binary prompts can allow integration of the two things I also see that programs that support GSS-API might also be simpler if the GSS stuff is moved to PAM. Why? Because all the programmer would have to do is provide a binary conversation function and use PAM as normal, letting pam_authenticate() and the conversation function do all the work. Reuse would certainly be promoted if you integrate PAM and GSS-API; and mind you, we're not talking about integration really, but about how a service, PAM and a module for doing GSS-API authentication would interact. As I think about it I am more and more convinced that this is useful. I could be wrong. :) Nico --
