Re: XSSO? How to communicate to XSSO/PAM external authentication info?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



For now, I would be happy if we can come to an agreement on the
feasibility and utility of using PAM binary prompts to move GSS-API
handling from the PAM app to a PAM module as discussed so far.

We'll probably need to poke some more holes in this proposal. Ingo, for
example, noticed the problem that the PAM app has to be able to get at
the GSS context after pam_authenticate() returns (easy to solve). And I
think that the binary prompt control character, as it stands, won't do.

I should post a complete flow description of how this would work.

Once this can be made to work (we'll need a prototype, probably) we can
then extend the approach to authentication negotiation, which, I think,
is doable.

Nico


On Mon, Aug 28, 2000 at 06:45:28AM -0700, SBNelson@thermeon.com wrote:
> A module could be written that would tell ftpd (or telnetd for that matter)
> what authentication methods are available.  Alas, the ftp or telnetd client
> only chooses one out of the list, so we would have to be content with that.
> (Actually with telnetd would could continue with some text based
> authentication methods).
> 
> I also thought that another module could be written that would specify the
> encryption types that are permitted.  A later module would then check to
> make sure that the connection is indeed encrypted.
> 
> > -----Original Message-----
> > From:	Ingo Luetkebohle [SMTP:ingo@blank.pages.de]
> > Sent:	Saturday, August 26, 2000 5:29 AM
> > To:	pam-list@redhat.com
> > Subject:	Re: XSSO? How to communicate to XSSO/PAM external
> > authentication info?
> > 
> > On Fri, Aug 25, 2000 at 09:53:13PM -0400, Nicolas Williams wrote:
> > >     - pam_gss would probably be first in the auth stack and would issue
> > >       a binary prompt asking ftpd to negotiate for GSS-API
> > 
> > Trouble is, RFC 2228 mandates that its the *client* that suggests
> > which auth protocol to use and the server is supposed to know which
> > auth protocols it can support. I don't see how that can be made to
> > work with PAM's current prompting mechanism.
> > 
> > Even in protocols like IMAP, where the client has to give the server
> > some control by issueing a CAPABILITY request, the server has to know
> > which authentication protocols it can support *before* actual
> > negotiation takes place. Similiar problem.
> > 
> > ---Ingo Luetkebohle / 21st Century Digital Boy
> > 
> > its easy to stop using Perl: I do it after every project
> > 
> > 
> > 
> > _______________________________________________
> > 
> > Pam-list@redhat.com
> > https://listman.redhat.com/mailman/listinfo/pam-list
> 
> 
> 
> _______________________________________________
> 
> Pam-list@redhat.com
> https://listman.redhat.com/mailman/listinfo/pam-list
--





[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux