[558] in linux-security and linux-alert archive
Re: Password checking - JFH the way forward ?
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Wed Jan 10 19:12:28 1996
Date: Wed, 10 Jan 1996 16:54:35 -0500
From: "Theodore Ts'o" <tytso@MIT.EDU>
To: Ian Jackson <ian@chiark.chu.cam.ac.uk>
Cc: Linux Security list <linux-security@tarsier.cv.nrao.edu>
In-Reply-To: Ian Jackson's message of Wed, 10 Jan 96 14:02 GMT,
<m0ta16s-0002aEC@chiark.chu.cam.ac.uk>
[To the Moderator: I know you asked that replies go to Ian, but I think
this is important enough that people on the list see it. It's also
only somewhat tangentially related to Ian's article, anyway. -- Ted]
Ian was talking about designing a new password-checking API. Actually,
there's an emerging standard for an interface that handles
password-checking, password changing, login session account management,
etc.
It's called Pluggable Authentication Modules, and it was proposed by
SunSoft, although it's since gotten acceptance from a number of
standards and industry consortium bodies, including OSF and the Common
Desktop people.
The advantage of this scheme is that if you code your application to use
PAM, it's possible to *dynamically* (via a config file and dynamically
linked libraries using dlopen()), to add or change how /bin/login works.
This could mean adding shadow passwords, or it could mean adding
Kerberos support. It could also allow you to mount a remote filesystem
as your home directory during the login sequence. (This is done for
example at MIT's Project Athena environment. With PAM, it allows us to
do all of our Athena customizations without needing to recompile any
vendor binaries!)
That is PAM's nicest feature ---- by dropping in a library and making a
change to configuration file, *all* applications (login, telnetd,
rlogind, ftpd, etc.) that had been linked with the PAM library could be
changed at one fell swoop to start using Kerberos, S/Key, Shaddow
Passwords, etc --- without needing to recompile anything!
I think that developing a PAM library for Linux would be a Good Thing.
I don't have a lot of time right now, though, but if there's someone who
does have time, please send me e-mail. I'd be happy to help coordinate
and lend design assistance --- I just don't have enough coding time to
do this myself. Thanks!!
- Ted
Ref: (By the way OTP is the new generic term for S/Key(tm), which is a
trademark of Bellcore. This is taken from the IETF OTP working group,
which is working to make S/Key an Internet standard.)
X-Mailer: exmh version 1.6.2 7/18/95
To: ietf-otp@bellcore.com, meister@ftp.com
Subject: PAM overview
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Date: Tue, 12 Dec 1995 15:18:00 -0500
From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
-----BEGIN PGP SIGNED MESSAGE-----
content-type: text/plain; charset=us-ascii
I made reference to PAM (the SunSoft "pluggable authentication module"
interface for UNIX and UNIX-like systems) during Phil Servita's
presentation during the OTP WG meeting.
It is my understanding that a number of UNIX systems vendors will
shortly be shipping systems which provide a PAM interface to allow
system administrators to plug in their own login-time authentication
modules. I suspect that a PAM OTP module would be fairly
straightforward to construct.
I did some digging and found the following URL, which is OSF RFC 86.0:
http://www.pilgrim.umass.edu/pub/osf_dce/RFC/rfc86.0.txt
According to Walt Tuvell of OSF, as an employee of an OSF member, I am
free to distribute this document to anyone.
Note that I have nothing to do with PAM directly; send comments about
the draft to the authors, not me..
- Bill
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMM3jaFpj/0M1dMJ/AQHxHwP9HvblruM3JxqgrI5PYRq3yvUbqXaYIeW6
5p06jq+/eUltWHrEB02PWnp2Xz0kgQ6x+KixrdoSQTsNvvNPiLucIu+7IZjEXuQ/
mCbCEJsi9MTsEGDMbkMAhOySzcfBcdeBgNckDVTXc041dYmNoiLVRdp7uIdHQJr+
9MhP8y+Bkxw=
=kjTu
-----END PGP SIGNATURE-----
