Re: PAM vs GSSAPI?

[Simon Josefsson]

"Ashwin Ganti" <address@hidden> writes:

>> Hello Ashwin!  From what you describe, I think you'll need to
>> implement both PAM and GSS-API support for your security mechanism.
>> The reason is that PAM and GSS-API are two quite different things.
>> They are not two solutions to the same problem.
>
> Would PAM in someway need to interact with GSSAPI or can the security
> mechanism be directly implemented in a PAM module ?

It depends on your system architecture.

It is possible to build a PAM module that implements your security
infrastructure internally, without any use of GSSAPI, much like the
/etc/passwd PAM module etc.  BUT, NFS and SSH will not support it
automatically, it will still treat it as a username/password-derived
backend.

It may be possible to implement a PAM module that calls GSS-API
functions to perform the host login, but I don't recall seeing anyone
doing that.  For example, while I don't really know for sure, I think
that all the Kerberos 5 PAM modules use native krb5 APIs instead of
GSS-API.  Your security architecture is equivalent to krb5 from this
conceptual point of view.

Btw, there is a very simple PAM module for Shishi (our krb5
implementation) inside Shishi, see extra/pam_shishi/.

>> You'll need PAM for local host-login to the system.  If your security
>> mechanism can verify passwords, having a PAM mechanism will solve the
>> problem for ssh servers too.
>
> does this mean that ssh uses pam based authentication...if i am not
> mistaken openssh has gssapi support in that too...not sure which one
> is being used now..

Yes, SSH servers often use PAM to do authentication and authorization,
especially when SSH is used with passwords are used.

SSH also supports GSS-API, to be able to support new security
infrastructures over the wire.

Keep in mind that PAM doesn't have anything to do with the bits and
bytes sent over the network, while GSS-API is all about that.

>> You'll need to write a GSS-API mechanism for NFS and SSH, especially
>> if your security mechanism is not based on passwords.  Fortunately,
>> both NFS and SSH support GSS-API, but for some other protocols (e.g.,
>> TLS or EAP) you'll have add support for your security mechanism
>> directly since there is no standard way to use a GSS-API mechanism in
>> those protocols.
>>
> as of now I am more concerned with getting this working with SSH and
> NFS...so from your comment I think GSSAPI should solve my immediate
> problem...

Yes, for NFS you definitely need GSS-API, and it will work for SSH
too.  You may need PAM support too, but it seems less important.

>> I hope this helps.  If you want write your GSS-API mechanism and ship
>> it with GNU GSS, that would be a welcome contribution!  The intention
>> is that GNU GSS should be a flexible plugin-architecture for all kinds
>> of GSS-API mechanisms.  I have thought about a dlopen() approach,
>> which would allow you to hook into GNU GSS at run-time, without having
>> a link-dependency between GNU GSS and your project, which sometimes
>> (especially when packaging the both projects for Debian etc) can be
>> beneficial.
>>
>
> Thanks a lot for the information Simon.I would love to have this ship
> with GNU-GSS but I guess there is still a long way for me to go in
> implementing this. I still need to fully understand the internals of
> GSSAPI before I have this ready.
> I shall get back with further queries if I have any , once I start the
> implementation.

Sounds great.  If you want to share any information on the security
infrastructure, I can give early comments on it.

/Simon