Hi Thorsten, > > I am confident you did not read my proposal. > > I did read it, but you started right from the beginning with a > technical solution without explaining the problem you want to solve. > Reverse engineering the problem from a proposal is pretty hard and > leads most of the time to misunderstandings and wrong assumptions.
I migh have made some assumptions about how obvious the problem is that are not entirely valid. But I did explicitly point out that the whole idea is to augment PAM, be PAM compatible, and be generically callable by PAM at various points in the proposal. That said, the problem to be solved is actually simply that the completely modular userdbd system is missing an authentication interface. So while user records can today come from really arbitrary sources, authentication mostly still requires hashed passwords stored somewhere on the system. Especially user databases backed by Web APIs (OAuth, OIDC, REST) are not well covered. sssd and Canonical's proprietary authd have done work on this [1], and I am setting out to port this work into systemd to make it more generally available and more backend-independent. You can find a demonstration here [2], and my plans are to generalise these efforts to make it available to all userdbd services. -nik [1] https://github.com/SSSD/sssd/issues/7229 [2] https://asciinema.org/a/728726
signature.asc
Description: PGP signature