OpenSSH, PAM and kerberos
Dag-Erling Smørgrav
des at des.no
Wed Sep 4 13:02:51 UTC 2013
Lev Serebryakov <lev at FreeBSD.org> writes:
> I try to write some short list of requirements to this completely new
> solution, where am I wrong? I'm sure, I am, but, where? Thank you.
This is a very good list, and very close to what I was thinking. Some
items, e.g. (1) and (4), seem blindingly obvious to me, but perhaps not
to everybody.
Regarding compatibility: support for the legacy getpw* API is an
absolute requirement. If we can't achieve that, we can just forget
about the whole thing. NSS and PAM compatibility, however, would be on
a "best effort" basis. Allowing existing applications to use the new
framework through NSS and PAM should be fairly easy. Allowing the new
framework to use existing NSS and PAM modules would be hard, and
probably not worth the effort if we can provide plugins for the most
important backends (LDAP, Kerberos, RADIUS, OATH...) from day one.
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-security
mailing list