NSS and PAM
Brandon S. Allbery KF8NH
allbery at ece.cmu.edu
Mon Dec 1 21:15:39 PST 2003
On Mon, 2003-12-01 at 21:24, Tim Kientzle wrote:
> Why is the directory "usually the worst" for storing
> authentication information?
This one's fairly easy to answer: you want to stick authentication data
into a potentially public/exposed directory? Even traditional Unix uses
/etc/shadow (or more complex solutions on some commercial systems) these
days, so the password isn't in the "directory" (/etc/passwd).
However, I have to agree with des's argument: a combined matrix for
directory and authentication services doesn't mean the *data* must be
combined. Using (for example) SIA, one could specify Kerberos 5 (my
guess as to wollman's "better answer") and LDAP, and simply not specify
entry points for the parts that each doesn't handle (Kerberos doesn't
support directory services, and LDAP isn't being used for
authentication), with later entries falling back to NIS or traditional
files. But this arrangement allows traditional APIs to work reasonably
--- and you can layer PAM and NSS on top of it as compatibility APIs.
--
brandon s. allbery [linux,solaris,freebsd,perl] allbery at kf8nh.com
system administrator [WAY too many hats] allbery at ece.cmu.edu
electrical and computer engineering, carnegie mellon univ. KF8NH
More information about the freebsd-current
mailing list