Hi Thorsten,

> > I am confident you did not read my proposal.
> 
> I did read it, but you started right from the beginning with a
> technical solution without explaining the problem you want to solve.
> Reverse engineering the problem from a proposal is pretty hard and
> leads most of the time to misunderstandings and wrong assumptions.

I migh have made some assumptions about how obvious the problem is that
are not entirely valid. But I did explicitly point out that the whole
idea is to augment PAM, be PAM compatible, and be generically callable
by PAM at various points in the proposal.

That said, the problem to be solved is actually simply that the
completely modular userdbd system is missing an authentication
interface. So while user records can today come from really arbitrary
sources, authentication mostly still requires hashed passwords stored
somewhere on the system. Especially user databases backed by Web APIs
(OAuth, OIDC, REST) are not well covered. sssd and Canonical's
proprietary authd have done work on this [1], and I am setting out to
port this work into systemd to make it more generally available and more
backend-independent.

You can find a demonstration here [2], and my plans are to generalise
these efforts to make it available to all userdbd services.

-nik

[1] https://github.com/SSSD/sssd/issues/7229
[2] https://asciinema.org/a/728726

Attachment: signature.asc
Description: PGP signature

Reply via email to