Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PAM questions. HELP!

On Tuesday, December 3, 2002, at 11:32 AM, Sean wrote:

What more or less is the roadmap authentication? I thought netinfo was
dying, being replaced with OpenDirectory. Security frameworks were
essentially what ALL applications regardless of mac/unix side were
supposed to reference this framework so we didnt have a "moving" target to
hit for developers at either level,IE:

I'm not sure I understand the question. The Security Framework is merely a collection of security mechanisms (like keychain) and a pluggable authentication chain. It's entirely orthogonal to the question of whether to use NetInfo or OpenDirectory, and in fact supports both.

Correct me if I am wrong or missing something but this is this what you
were eluding to about PAM support and why it wasnt made a security
framework plug-in off the bat, thus maybe we can outline pitfalls,

You're missing something. :) All we were trying to do with PAM is make it another "chain segment" which could be used by the Unix side of the house when faced with legacy PAM plug-ins that people wanted to be able to use to authenticate mechanisms like, say, ssh. Any greater purpose or agenda is neither implied or intended.


The second being, the LoginWindow isn't directly using Security
Frameworks, and it is still using direct ties to NetInfo which then looks
up in Security Frameworks for authentification.

Are you sure of this?

- Jordan



On Wed, 27 Nov 2002, Jordan Hubbard wrote:

Short answer: You don't. LoginWindow doesn't use PAM, only the "Unix
side" of the house does, e.g. ssh and a console login or other form of
remote login. For LoginWindow, you need to write a security frameworks
plug-in. Once you do that, PAM will use it since the default PAM
authentication path includes a pam_securityframework plugin which jumps
over to the security frameworks mechanism rather quickly.

As to the why, it's pretty simple. Mac OS X was set up to use security
frameworks, which also provides a chain of plug-ins based
authentication scheme, well before PAM was introduced. Rather than
have parallel mechanisms or a reference-counted, loop-detecting scheme
which allowed security frameworks to chain to PAM and vice-versa
without causing authentication loops, it was deemed simpler to have one
be the default and just chain the mechanisms in a "Y" configuration.

If that causes a lot of confusion going forward, I guess we could
always write a security frameworks module which links to PAM at the
very end of the chain, adding some extra hair to do the loop detection,
but it's probably more work than it's worth unless people prove highly
adverse to writing security frameworks plug-ins.

- Jordan

On Wednesday, November 27, 2002, at 07:56 AM, Sean wrote:

So How the heck do you get the login window to use PAM to authenicate
and
authorize for the Jaguar login window? I mean the more I read the less

--
Jordan K. Hubbard
Engineering Manager, BSD technology group
Apple Computer



--
Jordan K. Hubbard
Engineering Manager, BSD technology group
Apple Computer
_______________________________________________
darwin-development mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/darwin-development
Do not post admin requests to the list. They will be ignored.


Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.