Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PAM questions. HELP!

Thanks, that was exactly the answer I was looking for, although not the
answer I was hoping to hear, but honesty is always appreciated.

What more or less is the roadmap authentication? I thought netinfo was
dying, being replaced with OpenDirectory. Security frameworks were
essentially what ALL applications regardless of mac/unix side were
supposed to reference this framework so we didnt have a "moving" target to
hit for developers at either level,IE:

lookupd,etc <->security framework <-> auth method plug-in kerberos,DS,etc.

where security framework is an outwardly stable framework.

Correct me if I am wrong or missing something but this is this what you
were eluding to about PAM support and why it wasnt made a security
framework plug-in off the bat, thus maybe we can outline pitfalls,
potential problems of actually writing a PAM framework or deciding it is
going to be too much of a PITA and to build it into the Security Framework
as extra hooks(seems kludgy) which seems to be the two most apparent and
viable options.

One is Security Frameworks uses multiple-challenge response mechanism like
NT does and it is rather hard to keep track of threads especially when you
are working with a modules framework insides a modular framework. Not to
mention someone based this on the M$ com crap or at least there were a few
references in docs floating around about .com compatibility (which I
realize doesnt mean port necessarily).

The second being, the LoginWindow isn't directly using Security
Frameworks, and it is still using direct ties to NetInfo which then looks
up in Security Frameworks for authentification. Can I assume this is a
work in progress and hasnt been completed as of yet??

The third being pam doesnt support as many "options" as The Security
Framework does and no one has worked around this problem, IE like another
open for the PAM config file which gets interpreted locally like
APPLEAUTH: /file/to/optionlist which really could be option to plug into
the framework, so you can keep ssh people away from the cd player, etc,
and better mesh PAM with the Security FrameWork. If this DOES happen talk
to the PAM people, because I can see this being handy on other platforms
as well.

The Fourth currently PAM support is basically standalone, and only
registers with the security framework after/during its own process.

and last but not least it didnt seem useful enough to be deemed a
priority/useful. I could write a paper on the usefullness, but will
suffice to say that with PAM supprot you get rid of some of the more
unique, auth methods people use, without having to wait for non-apple
people to write Security FrameWorks (as well as open up new ways to do
things.)

Anyway I am really happy PAM support was in fact added so I am just
assuming since its still new we still have some kinks to work out, and I
think there might be some kinks to work out in the rest of the
auth system as well.

Sean


On Wed, 27 Nov 2002, Jordan Hubbard wrote:

> Short answer: You don't. LoginWindow doesn't use PAM, only the "Unix
> side" of the house does, e.g. ssh and a console login or other form of
> remote login. For LoginWindow, you need to write a security frameworks
> plug-in. Once you do that, PAM will use it since the default PAM
> authentication path includes a pam_securityframework plugin which jumps
> over to the security frameworks mechanism rather quickly.
>
> As to the why, it's pretty simple. Mac OS X was set up to use security
> frameworks, which also provides a chain of plug-ins based
> authentication scheme, well before PAM was introduced. Rather than
> have parallel mechanisms or a reference-counted, loop-detecting scheme
> which allowed security frameworks to chain to PAM and vice-versa
> without causing authentication loops, it was deemed simpler to have one
> be the default and just chain the mechanisms in a "Y" configuration.
>
> If that causes a lot of confusion going forward, I guess we could
> always write a security frameworks module which links to PAM at the
> very end of the chain, adding some extra hair to do the loop detection,
> but it's probably more work than it's worth unless people prove highly
> adverse to writing security frameworks plug-ins.
>
> - Jordan
>
> On Wednesday, November 27, 2002, at 07:56 AM, Sean wrote:
>
> > So How the heck do you get the login window to use PAM to authenicate
> > and
> > authorize for the Jaguar login window? I mean the more I read the less
> >
> --
> Jordan K. Hubbard
> Engineering Manager, BSD technology group
> Apple Computer
_______________________________________________
darwin-development mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/darwin-development
Do not post admin requests to the list. They will be ignored.


Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.