On Sun, Aug 27, 2000 at 02:32:06PM +0200, Ingo Luetkebohle wrote: > On Sat, Aug 26, 2000 at 11:09:20PM -0400, Nicolas Williams wrote: > > To summarize: PAM offers authentication, [coarse] authorization, session > > management, etc... GSS-API only does authentication, > > AAA (authenticiation, authorization and accounting) have been > traditionally seperated conceptually for various reasons. I have > always considered it a big source of confusion that PAM combines the > first two As (and under the name of "authentication" alone, which is > just plain wrong), but of course, YMMV. Some people like that > integration, it seems. I've never heard that AAA should all be separate. Authorization must follow authentication and why should authorization not take into account parameters involved in the authentication, such as the identity of the client, or the level of session security negotiated (if that info is available). And the Accounting step should definitely have information from the Authentication and Authorization phases! And PAM, the API, does AAA, not just AA. The extent of integration of the three As depends on the underlying PAM modules and the system administrator. > -- > Ingo Luetkebohle / 21st Century Digital Boy > Nico --
