Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: darwin-development digest, Vol 3 #574 - 10 msgs

At 10:00 PM -0800 11/27/02, email@hidden wrote:
Date: Wed, 27 Nov 2002 12:17:04 -0800
Subject: Re: PAM questions. HELP!
Cc: email@hidden
To: Sean <email@hidden>
From: Jordan Hubbard <email@hidden>

Short answer: You don't. LoginWindow doesn't use PAM, only the "Unix
side" of the house does, e.g. ssh and a console login or other form of
remote login. For LoginWindow, you need to write a security frameworks
plug-in. Once you do that, PAM will use it since the default PAM
authentication path includes a pam_securityframework plugin which jumps
over to the security frameworks mechanism rather quickly.

As to the why, it's pretty simple. Mac OS X was set up to use security
frameworks, which also provides a chain of plug-ins based
authentication scheme, well before PAM was introduced. Rather than
have parallel mechanisms or a reference-counted, loop-detecting scheme
which allowed security frameworks to chain to PAM and vice-versa
without causing authentication loops, it was deemed simpler to have one
be the default and just chain the mechanisms in a "Y" configuration.

Not to throw stones (since I live in a glass house), but the practical situation is messier than your description suggests. There is LoginWindow, the screen saver and the "Unix side".

The first can be made to do Kerberos quite nicely by editing /etc/authentication. Kerberos can be made to do AFS with a Kerberos plugin, but not in the right PAG. That does nothing for the other two places you want to authenticate.

You can port the OpenAFS pam module to do the same things and solve two of the three problems. There is zero overlap in the work done to solve them, so trying to guarantee a consistent authentication policy between them is harder than I like.

That still leaves the screen saver. What does it do with passwords, and how do I make it do the same as the other two mechanisms?

Can I infer from your answer that if there was a security framework plugin it would get used in all three places? If there was a Kerberos security framework plugin would it call the Kerberos plugins (including the AFS kerberos plugin)? Would it call them in the right context to create a PAG?

On Wednesday, November 27, 2002, at 07:56 AM, Sean wrote:

So How the heck do you get the login window to use PAM to authenicate
and
> authorize for the Jaguar login window? I mean the more I read the less


FWIW I agree with the decision to prohibit authentication loops. It should be easy to audit the implemented security policy on any machine. (That of course means it should be easy to make sure all three authentication paths are identical as I said.)

I think I disagree with having PAM call the security framework. If there is to be any hope of leveraging off of existing open source implementations then PAM should be usable by all three of the authentication routes I mentioned.

The alternative would be to provide a generic security framework wrapper for PAM code so it can be ported trivially by programmers ignorant of the security framework.

<nit>
I think it's better to have stuff in /usr/{include,lib}/pam/ than in /usr/{include,lib}/security/. Using the name /security/ is overblown and uninformative. Also changing it in open source code is something that can be done by "programmers ignorant of the security framework".
</nit>
--
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
email@hidden, or email@hidden
_______________________________________________
darwin-development mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/darwin-development
Do not post admin requests to the list. They will be ignored.


Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.