Nicolas Williams wrote: > > For now, I would be happy if we can come to an agreement on the > feasibility and utility of using PAM binary prompts to move GSS-API > handling from the PAM app to a PAM module as discussed so far. > > We'll probably need to poke some more holes in this proposal. Ingo, for > example, noticed the problem that the PAM app has to be able to get at > the GSS context after pam_authenticate() returns (easy to solve). And I > think that the binary prompt control character, as it stands, won't do. > > I should post a complete flow description of how this would work. > > Once this can be made to work (we'll need a prototype, probably) we can > then extend the approach to authentication negotiation, which, I think, > is doable. That was triggered in my mind is that -- this all stuff, while quite useful at administrator's point of view, seemed to be way too complex in application level. And there will be tons of incompatibilities between pam modules and particular applications around this. Complecety is not a good thing in respect of security... As far as I see, PAM lacks one feature that almost required to be present for some sort of protocols -- the ability of _application_ to ask pam about something, not from pam to application (over direction opposite to conversation function). This can't be implemented in current infrastructure -- concepts should be changed for this to work. The point here is that many (most?) network protocols just can't work with pam model by design (ok, can't work _well_), and examples are trivial -- just plain ftp/pop shows that nicely. One little thought -- maybe we should think in other direction -- i.e. correcting _protocols_ so that them will work nicely with one centralized/well-managed "AAA" infrastructure? :^8 (read: _BIG_ funny smailik here!) With proposed approach, will currently trivial applications (like pop/ftp for example) be just too fat and complex and _unmanageable_ from administrator's view (incompats between modules, separate set of modules for each protocol etc) so that the whole picture will be just a nightmare? I'm not shure about this... Regards, Michael. > Nico []
