[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PAM vs GSSAPI?
|
From: |
Simon Josefsson |
|
Subject: |
Re: PAM vs GSSAPI? |
|
Date: |
Wed, 21 Mar 2007 12:29:20 +0100 |
|
User-agent: |
Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.95 (gnu/linux) |
Russ Allbery <address@hidden> writes:
> Simon Josefsson <address@hidden> writes:
>
>> It may be possible to implement a PAM module that calls GSS-API
>> functions to perform the host login, but I don't recall seeing anyone
>> doing that. For example, while I don't really know for sure, I think
>> that all the Kerberos 5 PAM modules use native krb5 APIs instead of
>> GSS-API. Your security architecture is equivalent to krb5 from this
>> conceptual point of view.
>
> So far as I can tell, it's not possible to obtain initial credentials with
> a password purely through the GSS-API. I only see gss_acquire_cred, which
> isn't sufficient. So yes, I'm fairly sure that all Kerberos PAM modules
> use native Kerberos calls.
Ah, right. I recalled some GSS-API extensions for initial
acquisition, but I guess they were never implemented widely. It might
have been a better approach, though. But maybe there are other things
that pam_krb5 do which isn't possible to do via GSS-API?
/Simon
- PAM vs GSSAPI?, Ashwin Ganti, 2007/03/16
- Re: PAM vs GSSAPI?, Simon Josefsson, 2007/03/17
- Re: PAM vs GSSAPI?, Ashwin Ganti, 2007/03/17
- Re: PAM vs GSSAPI?, Simon Josefsson, 2007/03/20
- Re: PAM vs GSSAPI?, Ashwin Ganti, 2007/03/20
- Re: PAM vs GSSAPI?, Simon Josefsson, 2007/03/20
- Re: PAM vs GSSAPI?, Simon Josefsson, 2007/03/20
- Re: PAM vs GSSAPI?, Ashwin Ganti, 2007/03/20
- Re: PAM vs GSSAPI?, Simon Josefsson, 2007/03/21
- Re: PAM vs GSSAPI?, Russ Allbery, 2007/03/20
- Re: PAM vs GSSAPI?,
Simon Josefsson <=
- Re: PAM vs GSSAPI?, Russ Allbery, 2007/03/21
- Re: PAM vs GSSAPI?, Simon Josefsson, 2007/03/22