Bind update

Joerg Sonnenberger joerg at britannica.bec.de
Mon Nov 24 08:27:17 PST 2003


On Sun, Nov 23, 2003 at 10:34:31AM -0500, Richard Coleman wrote:
> Well, I was just being sloppy.  When I talk about centralized 
> authentication, I'm actually talking about something more general than 
> just handling the authentication phase.  I want to centralize all 
> aspects of user/group account management (authentication, authorization, 
>  uid -> username mappings, etc).  I imagine this is common for most 
> sysadmins that want to build such systems.

Well, from the admin's POV you want to centralise it.
But for the programming both are quite different. Both
authorization and uid/username mappings are public informations
or at least most often implemented as public informations.
The authentication requires special care to be used securely
and is often done in a application or protocol specific way.
The authentication for POP3 is either plain text passwords or
SASL, both not useable with generic modules of a generic
framework like PAM. A program like login or xdm has other needs:
(1) providing the login dialog
(2) validating the user by some mean
(3) setting up the session
(4) running some programs
(5) cleaning up

A framework can use a specific view for (1) to get the
credentials to implement (2). (3) and (5) are highly
application dependant and IMO badly implemented in PAM.
One way to implement this is to exec a shell script on startup ;-) 

But to return to the beginning this doesn't affect against which
source the system authenticates a user.

> 
> I've went through the NetBSD archives and read the thread on BSD auth 
> versus shared libraries, but never found much details on the BSD auth 
> method.  Where can I read about this?

Well, one idea is to bsd_auth(3) on OpenBSD for the interface.
Also check src/libexec/login_{chpass,krb5,lchpass,radius,reject,skey,token}
from there repository. Those are the actual authentication apps.

> 
> So far, the only working systems I've seen accomplish this are using 
> dynamic libraries (that's how it's done in both Solaris, Linux, and now 
> FreeBSD-current).  I've never seen anyone actually implement the 
> alternates that are discussed in a method that solves all the necessary 
> problems.

Well, one point in the NetBSD thread is that BSD auth can't solve all
problems without some rewrites like the PAG support for AFS. Some others
are examples of bad programming practise. Otherwise it is working quite
well for OpenBSD and BSD/OS.

> 
> Most of the people that argue against this try to convince everyone that 
> they don't really need those features, and the arguments degenerate from 
> there.

Right. Do you need a authentication or, some point, a lookup plugin
which can and does modify your address space, process settings are
similiar? Those arguing for BSD auth have a clean answer ;-)

BTW it has the advantage of allow indendepent protection domains for
the authenticator and free choice for implementation language.
For example if you leave out the su functionality of login,
like OpenBSD did, you don't need setuid-root for login, only for the
authenticator (well, setgid shadow).

Joerg

> 
> Richard Coleman
> richardcoleman at xxxxxxxxxxxxxx





More information about the Kernel mailing list