[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


From: Ashwin Ganti
Subject: Re: PAM vs GSSAPI?
Date: Tue, 20 Mar 2007 11:37:13 -0500

Thanks Simon for the information.

Please correct my understanding here:

1. I would need to write a PAM module for authenticating the user to
the host initially and create his security credential once she is
authenticated. This module would be using the native security API that
I would provide.It would be very similar to the pam_krb5 module.
2. Coming to the ssh authentication part since my authentication
doesnt use passwords ( instead it uses certificates containing the
authentication information to authenticate the user ), I would need to
provide a GSSAPI support for the client side as well as the server

3. This is not related to the current topic but when I was going
through the pam_shishi there seems to be many TODO's in the code for
many of the pam support functions. Would it be possible to include
this as a Google Summer of Code project for this summer . I would like
to volunteer to work on it to complete the pending implementation and
put it as the summer of code project. Please let me know if this is
feasibe or if there is any other work related to this area.


On 3/20/07, Simon Josefsson <address@hidden> wrote:
"Ashwin Ganti" <address@hidden> writes:

>> Hello Ashwin!  From what you describe, I think you'll need to
>> implement both PAM and GSS-API support for your security mechanism.
>> The reason is that PAM and GSS-API are two quite different things.
>> They are not two solutions to the same problem.
> Would PAM in someway need to interact with GSSAPI or can the security
> mechanism be directly implemented in a PAM module ?

It depends on your system architecture.

It is possible to build a PAM module that implements your security
infrastructure internally, without any use of GSSAPI, much like the
/etc/passwd PAM module etc.  BUT, NFS and SSH will not support it
automatically, it will still treat it as a username/password-derived

It may be possible to implement a PAM module that calls GSS-API
functions to perform the host login, but I don't recall seeing anyone
doing that.  For example, while I don't really know for sure, I think
that all the Kerberos 5 PAM modules use native krb5 APIs instead of
GSS-API.  Your security architecture is equivalent to krb5 from this
conceptual point of view.

Btw, there is a very simple PAM module for Shishi (our krb5
implementation) inside Shishi, see extra/pam_shishi/.

>> You'll need PAM for local host-login to the system.  If your security
>> mechanism can verify passwords, having a PAM mechanism will solve the
>> problem for ssh servers too.
> does this mean that ssh uses pam based authentication...if i am not
> mistaken openssh has gssapi support in that too...not sure which one
> is being used now..

Yes, SSH servers often use PAM to do authentication and authorization,
especially when SSH is used with passwords are used.

SSH also supports GSS-API, to be able to support new security
infrastructures over the wire.

Keep in mind that PAM doesn't have anything to do with the bits and
bytes sent over the network, while GSS-API is all about that.

>> You'll need to write a GSS-API mechanism for NFS and SSH, especially
>> if your security mechanism is not based on passwords.  Fortunately,
>> both NFS and SSH support GSS-API, but for some other protocols (e.g.,
>> TLS or EAP) you'll have add support for your security mechanism
>> directly since there is no standard way to use a GSS-API mechanism in
>> those protocols.
> as of now I am more concerned with getting this working with SSH and
> from your comment I think GSSAPI should solve my immediate
> problem...

Yes, for NFS you definitely need GSS-API, and it will work for SSH
too.  You may need PAM support too, but it seems less important.

>> I hope this helps.  If you want write your GSS-API mechanism and ship
>> it with GNU GSS, that would be a welcome contribution!  The intention
>> is that GNU GSS should be a flexible plugin-architecture for all kinds
>> of GSS-API mechanisms.  I have thought about a dlopen() approach,
>> which would allow you to hook into GNU GSS at run-time, without having
>> a link-dependency between GNU GSS and your project, which sometimes
>> (especially when packaging the both projects for Debian etc) can be
>> beneficial.
> Thanks a lot for the information Simon.I would love to have this ship
> with GNU-GSS but I guess there is still a long way for me to go in
> implementing this. I still need to fully understand the internals of
> GSSAPI before I have this ready.
> I shall get back with further queries if I have any , once I start the
> implementation.

Sounds great.  If you want to share any information on the security
infrastructure, I can give early comments on it.


Impossibility is a relative concept

reply via email to

[Prev in Thread] Current Thread [Next in Thread]