On Mon, Aug 28, 2000 at 11:14:50AM -0400, Nicolas Williams wrote: > For now, I would be happy if we can come to an agreement on the > feasibility and utility of using PAM binary prompts to move GSS-API > handling from the PAM app to a PAM module as discussed so far. > We'll probably need to poke some more holes in this proposal. Ingo, for > example, noticed the problem that the PAM app has to be able to get at > the GSS context after pam_authenticate() returns (easy to solve). Taking these two paragraphs together with your original post, you want: 1) use GSSAPI information in the PAM authorization stage 2) use GSSAPI calls for later cryptographic processing in the application So the goal is obviously not to remove the necessity of GSSAPI altogether. It would seem to me that the far easier approach would be to cut PAM into pieces, one for the authentication, one for authorization and one for accounting. That should make it possible easily to use PAM's authorization steps together with GSSAPI authentication -- just populate the PAM information struct from GSSAPI (through the gss_inquire_cred and gss_inquire_context calls) and then call pam_acct_mgmt, for example. I'm not sure, yet, but this might even be doable without any modification to PAM at all. All that needs to be written is a transfer-function. Thats incidently what I aimed at with my earlier mention of the conceptual seperation between these stages: If, like PAM does, you lump it all together you'll always run into the kind of integration problems like the one we spent quite some mals about. If, instead, you have it in pieces, you can easily integrate it by sticking parts together. -- Ingo Luetkebohle / 21st Century Digital Boy its easy to stop using Perl: I do it after every project
