"Ashwin Ganti" <[EMAIL PROTECTED]> writes: >> Hello Ashwin! From what you describe, I think you'll need to >> implement both PAM and GSS-API support for your security mechanism. >> The reason is that PAM and GSS-API are two quite different things. >> They are not two solutions to the same problem. > > Would PAM in someway need to interact with GSSAPI or can the security > mechanism be directly implemented in a PAM module ?
It depends on your system architecture. It is possible to build a PAM module that implements your security infrastructure internally, without any use of GSSAPI, much like the /etc/passwd PAM module etc. BUT, NFS and SSH will not support it automatically, it will still treat it as a username/password-derived backend. It may be possible to implement a PAM module that calls GSS-API functions to perform the host login, but I don't recall seeing anyone doing that. For example, while I don't really know for sure, I think that all the Kerberos 5 PAM modules use native krb5 APIs instead of GSS-API. Your security architecture is equivalent to krb5 from this conceptual point of view. Btw, there is a very simple PAM module for Shishi (our krb5 implementation) inside Shishi, see extra/pam_shishi/. >> You'll need PAM for local host-login to the system. If your security >> mechanism can verify passwords, having a PAM mechanism will solve the >> problem for ssh servers too. > > does this mean that ssh uses pam based authentication...if i am not > mistaken openssh has gssapi support in that too...not sure which one > is being used now.. Yes, SSH servers often use PAM to do authentication and authorization, especially when SSH is used with passwords are used. SSH also supports GSS-API, to be able to support new security infrastructures over the wire. Keep in mind that PAM doesn't have anything to do with the bits and bytes sent over the network, while GSS-API is all about that. >> You'll need to write a GSS-API mechanism for NFS and SSH, especially >> if your security mechanism is not based on passwords. Fortunately, >> both NFS and SSH support GSS-API, but for some other protocols (e.g., >> TLS or EAP) you'll have add support for your security mechanism >> directly since there is no standard way to use a GSS-API mechanism in >> those protocols. >> > as of now I am more concerned with getting this working with SSH and > NFS...so from your comment I think GSSAPI should solve my immediate > problem... Yes, for NFS you definitely need GSS-API, and it will work for SSH too. You may need PAM support too, but it seems less important. >> I hope this helps. If you want write your GSS-API mechanism and ship >> it with GNU GSS, that would be a welcome contribution! The intention >> is that GNU GSS should be a flexible plugin-architecture for all kinds >> of GSS-API mechanisms. I have thought about a dlopen() approach, >> which would allow you to hook into GNU GSS at run-time, without having >> a link-dependency between GNU GSS and your project, which sometimes >> (especially when packaging the both projects for Debian etc) can be >> beneficial. >> > > Thanks a lot for the information Simon.I would love to have this ship > with GNU-GSS but I guess there is still a long way for me to go in > implementing this. I still need to fully understand the internals of > GSSAPI before I have this ready. > I shall get back with further queries if I have any , once I start the > implementation. Sounds great. If you want to share any information on the security infrastructure, I can give early comments on it. /Simon _______________________________________________ Help-gss mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gss
