ok, i looked up SPNEGO on google.com, and came up with this: draft-ietf-cat-snego-09.txt, which can also be found with google.com on the ietf site. can i recommend that people examine this text. it provides a means for the Simple, Protected NEGOtiation of GSSAPI. i think that the way it works is that, instead of saying, with GSSAPI "hi, mr server, we're going to use _this_ security method today", at which point the server tells the client to get lost, it says: "hi mr server, i'd like you to tell me what security mechanisms you support". and then the client chooses one. and _then_ you use GSSAPI from then on. > > > Adapting an app to use GSS-API generally requires protocol and code > > > changes. why adapt the application? why not just have the PAM module that the app uses provide the authentication? _if_ the app _does_ in fact require GSS-API-auth/etc., _then_ it can call pam_gss_xxxx etc() _but_: it should _not_ be a mandatory requirement for an app that uses gss-api-enabled-PAM modules to _have_ to be aware of that fact. this provides an upgrade path, just like what PAM provided in the first place. authentication and encryption should _not_ be an application's job, it should be PAM's job. PAM should be flexible enough to negotiate _any_ current and future authentication scheme. PAM should provide a means by which the authentication and encryption level _can_ be: 1) passed through, such that _if_ the authentication mechanisms provides an "impersonation" method, an application can *securely* contact *further* applications using "impersonation", and WITHOUT the application having to worry about the details. Kerberos-5 is such a security mechanism that allows "impersonation". 2) queried to ensure minimum or maximum levels of security. regarding 1), i think that the proposal of "binary" prompts is a means being considered to provide effective "pass-through" mechanisms, yes, or no? in other words, a PAM-enabled application has been activated by a user login. the password is NOT, repeat, NOT available to the application. however, the PAM-enabled application wishes to activate, or use, _another_ PAM-enabled application. however, there is currently _no_ method to do this, using PAM, because PAM requires the user-password as input. uh-oh :)
