Re: NSS and PAM

From: Brandon S. Allbery KF8NH <allbery_at_ece.cmu.edu>
Date: Tue, 02 Dec 2003 00:14:22 -0500
On Mon, 2003-12-01 at 21:24, Tim Kientzle wrote:
> Why is the directory "usually the worst" for storing
> authentication information?

This one's fairly easy to answer:  you want to stick authentication data
into a potentially public/exposed directory?  Even traditional Unix uses
/etc/shadow (or more complex solutions on some commercial systems) these
days, so the password isn't in the "directory" (/etc/passwd).

However, I have to agree with des's argument:  a combined matrix for
directory and authentication services doesn't mean the *data* must be
combined.  Using (for example) SIA, one could specify Kerberos 5 (my
guess as to wollman's "better answer") and LDAP, and simply not specify
entry points for the parts that each doesn't handle (Kerberos doesn't
support directory services, and LDAP isn't being used for
authentication), with later entries falling back to NIS or traditional
files.  But this arrangement allows traditional APIs to work reasonably
--- and you can layer PAM and NSS on top of it as compatibility APIs.

-- 
brandon s. allbery    [linux,solaris,freebsd,perl]     allbery_at_kf8nh.com
system administrator      [WAY too many hats]        allbery_at_ece.cmu.edu
electrical and computer engineering, carnegie mellon univ.         KF8NH
Received on Mon Dec 01 2003 - 20:15:38 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:32 UTC