Re: NSS and PAM

From: Jacques Vidrine <nectar_at_freebsd.org>
Date: Thu, 04 Dec 2003 09:22:05 -0600
Terry Lambert said the following on 12/4/03 7:30 AM:
> The main issue that most people have missed so far in this whole
> discussion is that there are three perpendicular axis, not simply
> a single axis (or simply two of them, for people lik you, who've
> understood the difference between the first two, but missed the
> third).

I didn't miss anything;  we're talking about NSS and PAM, which together
only encompass the first two.

[...]
> The problem that DES points out is real; PAM is really too stupid
> to handle the updating procss alone, and hasn't added the necessary
> interfaces to correct the problem.

It indeed includes an interface for updating one's `authentication
token' (in most or maybe all cases that PAM supports, a password).

>  There was a very interesting
> discussion of this issue with one of the main designers of the PAM
> protocol that took place at one of the Silicon Valley get-togethers
> hosted by the Netscape offices; the upshot of it was that Sun would
> never be correcting the issue in an updated version of PAM in order
> to be able to properly support Kerberos.

Terry, you are confused.  You are talking about something completely
different, which is the fact that PAM will never be able to handle
network authentication protocols itself, but only simple password-like
mechanisms.  Every so often you like to bring up that you were present
at this meeting for some reason, but it sometimes seems like you weren't
paying full attention.

>>Of course this won't work for certain legacy, read-mostly
>>`authentication methods' such as NIS or Hesiod that aren't supported
>>by PAM.
> 
> Kerberos has a similar problem. 

No, it doesn't.  NIS and Hesiod have no protocol for updating one's
password.  Kerberos does, as do many other mechanisms which PAM supports.

> PAM assumes that there is not a
> requirement for a covert channel in order to update data in the
> data store that's used for the purposes of authenticating identity
> in order to authorize granting of rights.  
[...]

PAM makes no such assumptions, although certain modules may if they are
poorly written.

Cheers,
-- 
Jacques Vidrine   NTT/Verio SME      FreeBSD UNIX       Heimdal
nectar_at_celabo.org jvidrine_at_verio.net nectar_at_freebsd.org nectar_at_kth.se
Received on Thu Dec 04 2003 - 06:22:21 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:32 UTC