OpenSSH, PAM and kerberos

[Lev Serebryakov]

Hello, Dag-Erling.
You wrote 4 сентября 2013 г., 11:53:14:

DES> Lev Serebryakov <lev at FreeBSD.org> writes:
>> Accept input from hostile user is huge security issue per se? Ouch. In
>> modern world there are only hostile users. Yes, all our software has
>> huge security issue, I know that :)
DES> Please look up "privilege separation" on Wikipedia so you have at least
DES> *some* idea of what we're talking about.
  I have *some* idea what "privilege separation" is, thank you.

>> As far as I understand, PAM is not 40-years-old getpwnam() API. It is
>> (relative) modern API to replace getpwnam(), with support of modern
>> identity databases in mind.
DES> No, PAM does not replace getpwnam().  PAM does not handle identity at
DES> all.  NSS handles identity with the old getpwnam() API.
  Ouch. Why didn't you see, that it was quotation from your message? I know,
that PAM is not exact replacement for getpwnam(), as it only "check
password" (please, don't point me out, that it could do more than "check
password", I know, and I use quotes here to point at fact that it some
simplification), but I thought, that you use this concrete function call as
meta-name for all old AAA/identity API from POSIX, and I accept it.

DES> I'm not going to answer the rest - it is so full of misconceptions,
DES> fallacies and incorrect assumptions that I simply don't have the
DES> energy.
  BTW, you wrote in other message:

DES> I am *not* proposing to move PAM into a daemon.  I am proposing
DES> something completely new.  I thought I made that clear.
  No, you didn't make it clear. All your previous messages left impression,
that you propose to move PAM API to separate daemon with somewhat simplier
API, accessible via socket.

  Do you have any notes, draft, whatever, about what you propose exactly,
 more specific than "we need AAA/identity daemon instead of all old APIs"?

-- 
// Black Lion AKA Lev Serebryakov <lev at FreeBSD.org>