[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: KDM Kerberos 4 & AFS support (was: Resent: )
From:       Michael Matz <matz () ifh ! de>
Date:       2000-04-05 10:27:01
[Download RAW message or body]

Hi,

On Tue, 4 Apr 2000, Alex Zepeda wrote:
> >No no. There _are_ PAM modules for Kerberos authentication. The problem
> >is, that not all systems have PAM as their authentication and
> >authorization mechanism.
> 
> Perhaps it is time to install PAM then?  Again, I've got a very basic

No. Some systems (HP-UX, Digital Unix, IRIX in older version...) _don't_
have any support for PAM or such stuff. You see, after all, it's an
authentication method, so it must get some support of the OS. PAM has to
ask something like, "so, this and that user really is, who he pretend to
be, please set the UID of all process to this and that" (there is much
more PAM can do).

I only know of PAM for Solaris (where it came from) and Linux. May be
there is (Free|Open|Net)BSD-support. I know, that SGI has announced
support for PAM in IRIX>=6.5. But there are more systems.

And PAM does not support these systems either. There simply does not
exist something like PAM for these platforms. And seriously, even if there
did exist some support for it in PAM versions which are free, I'm not sure
I would want to install it on production machines. Security concerns, and
warranty issues.

You see, there is nothing I _could_ install. And I'm not going to hack PAM
to support all these systems (in fact I have done so in the past for some
of them). And even then there are nevertheless the systems which don't
have PAM installed by the sysadmins.

> >Hehe. I mean old with respect to features offered by the system (like old
> >linux distros). Compilers are usually not the problem. You
> >know... physicists squeezing the last bit of performance out of their new
> >fortran compiler ;) Some of them even are using C++. Even with
> >templates. Every time they hear a new compiler appears, they annoy us to
> >install it. (instead of optimizing their algorithms) :-)
> 
> Gah, and they don't update the rest of it?

We are not talking about distros or such. We are talking about large
systems installations. There the tools are changed from time to time, but
not the underlying systems (e.g. we were going from IRIX 6.2 straight to
6.5 on one of our machines, which means several years, OTOH the tools
(like compilers, calculation programs...) were changed many times)

> The thing is, a PAMized login and such wouldn't really be required, as KDM
> doesn't call login, right?  Or am I merely dreaming?

That's correct. If there existed PAM libraries for the systems I'm talking
about, KDM could use them without the sysadmin installing other programs.

> FWIW, I think that Kerberos, "standard", and PAM authentication should
> cover the majority of the configured systems out there (read: I love the
> idea of a modular authentication system).  And if PAM could be retrofited

I _really_ do also love this idea. But I also know, that we don't have
PAM on every system, and are not going to have it soon. So there should be
a solution. (Yes, I also think, that the above list covers most systems
(as it includes Kerberos), but I may be biased ;))


Ciao,
Michael.

[prev in list] [next in list] [prev in thread] [next in thread]