[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


From: Simon Josefsson
Subject: Re: PAM vs GSSAPI?
Date: Sat, 17 Mar 2007 12:29:22 +0100
User-agent: Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.94 (gnu/linux)

"Ashwin Ganti" <address@hidden> writes:

> Hi ,
> We are implementing a new security mechanism (similar to kerberos) and
> want to integrate it with apps like nfs, ssh etc..
> What I am wondering here is whether to have a PAM module that
> implements the security mechanism ( similar to pam_krb5) or to provide
> a GSSAPI implementation.
> For example I have checked code for openSSH only to see that it seems
> to have both PAM support and GSSAPI usage too. I am not sure which one
> is being used for kerberos now.
> I am a newbie in all this and am confused as to how to go about with this.
> What I am thinking is to provide the GSSAPI implementation for our
> security mechanism and write a PAM module ( say pam_gss) to
> authenticate using GSSAPI. I dont know if this would work.
> I am not sure as to how kerberos handles all this ( we need to more or
> less follow on similar lines and it would be very useful to know in
> what way kerberos is being used by these apps)
> Basically I need the new security mechanism to be used by all the
> applications ( NFS, ssh etc.) and am not sure as to how to go about
> providing that.
> Any help or info regarding this would be greatly appreciated. Also
> please let me know if this is not the right forum to post this or if
> there is anyother place.

Hello Ashwin!  From what you describe, I think you'll need to
implement both PAM and GSS-API support for your security mechanism.
The reason is that PAM and GSS-API are two quite different things.
They are not two solutions to the same problem.

You'll need PAM for local host-login to the system.  If your security
mechanism can verify passwords, having a PAM mechanism will solve the
problem for ssh servers too.

You'll need to write a GSS-API mechanism for NFS and SSH, especially
if your security mechanism is not based on passwords.  Fortunately,
both NFS and SSH support GSS-API, but for some other protocols (e.g.,
TLS or EAP) you'll have add support for your security mechanism
directly since there is no standard way to use a GSS-API mechanism in
those protocols.

I hope this helps.  If you want write your GSS-API mechanism and ship
it with GNU GSS, that would be a welcome contribution!  The intention
is that GNU GSS should be a flexible plugin-architecture for all kinds
of GSS-API mechanisms.  I have thought about a dlopen() approach,
which would allow you to hook into GNU GSS at run-time, without having
a link-dependency between GNU GSS and your project, which sometimes
(especially when packaging the both projects for Debian etc) can be


reply via email to

[Prev in Thread] Current Thread [Next in Thread]