"Ashwin Ganti" <[EMAIL PROTECTED]> writes: > Hi , > > We are implementing a new security mechanism (similar to kerberos) and > want to integrate it with apps like nfs, ssh etc.. > > What I am wondering here is whether to have a PAM module that > implements the security mechanism ( similar to pam_krb5) or to provide > a GSSAPI implementation. > > For example I have checked code for openSSH only to see that it seems > to have both PAM support and GSSAPI usage too. I am not sure which one > is being used for kerberos now. > > I am a newbie in all this and am confused as to how to go about with this. > > What I am thinking is to provide the GSSAPI implementation for our > security mechanism and write a PAM module ( say pam_gss) to > authenticate using GSSAPI. I dont know if this would work. > > I am not sure as to how kerberos handles all this ( we need to more or > less follow on similar lines and it would be very useful to know in > what way kerberos is being used by these apps) > > Basically I need the new security mechanism to be used by all the > applications ( NFS, ssh etc.) and am not sure as to how to go about > providing that. > > Any help or info regarding this would be greatly appreciated. Also > please let me know if this is not the right forum to post this or if > there is anyother place.
Hello Ashwin! From what you describe, I think you'll need to implement both PAM and GSS-API support for your security mechanism. The reason is that PAM and GSS-API are two quite different things. They are not two solutions to the same problem. You'll need PAM for local host-login to the system. If your security mechanism can verify passwords, having a PAM mechanism will solve the problem for ssh servers too. You'll need to write a GSS-API mechanism for NFS and SSH, especially if your security mechanism is not based on passwords. Fortunately, both NFS and SSH support GSS-API, but for some other protocols (e.g., TLS or EAP) you'll have add support for your security mechanism directly since there is no standard way to use a GSS-API mechanism in those protocols. I hope this helps. If you want write your GSS-API mechanism and ship it with GNU GSS, that would be a welcome contribution! The intention is that GNU GSS should be a flexible plugin-architecture for all kinds of GSS-API mechanisms. I have thought about a dlopen() approach, which would allow you to hook into GNU GSS at run-time, without having a link-dependency between GNU GSS and your project, which sometimes (especially when packaging the both projects for Debian etc) can be beneficial. /Simon _______________________________________________ Help-gss mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gss
