Re: PAM vs GSSAPI?

[Simon Josefsson]

"Ashwin Ganti" <address@hidden> writes:

> Thanks Simon for the information.
>
> Please correct my understanding here:
>
> 1. I would need to write a PAM module for authenticating the user to
> the host initially and create his security credential once she is
> authenticated. This module would be using the native security API that
> I would provide.It would be very similar to the pam_krb5 module.

Yes.  Whether or not the PAM module is used for initial creation of
the security credential is not important.  Initial registration could
be done outside of PAM, but it seems to be a trend to provide initial
registration via PAM, typically upgrading an existing infrastructure
(password-based) into a new security architecture.

> 2. Coming to the ssh authentication part since my authentication
> doesnt use passwords ( instead it uses certificates containing the
> authentication information to authenticate the user ), I would need to
> provide a GSSAPI support for the client side as well as the server
> side.

If your architecture uses asymmetric algorithms and X.509
certificates, you should probably look at the SSH X.509 authentication
mechanism rather than GSSAPI.  See RFC 4819.  It is possible to do
X.509 via GSSAPI, but I think RFC 4819 is likely to be more widely
adopted.

> 3. This is not related to the current topic but when I was going
> through the pam_shishi there seems to be many TODO's in the code for
> many of the pam support functions. Would it be possible to include
> this as a Google Summer of Code project for this summer . I would like
> to volunteer to work on it to complete the pending implementation and
> put it as the summer of code project. Please let me know if this is
> feasibe or if there is any other work related to this area.

Oh boy, yes, that would indeed be possible, and I'd be very interested
to work with you on this.  Shishi is a GNU project, and GNU has been
approved for SOC.  Please sign up as a student if you haven't done so
already.

I have not had time to submit SOC project ideas yet, but the deadline
is fast approach (friday!) and I'll see if I can get it done tonight.

A PAM module may be a bit narrow scope, but if we add support for
migrating existing users (based on their username+password) that could
be something useful.  Another idea would be to bring my work on LSH (a
SSH implementation) with support for GSS-API up to date, so it
supports Kerberos V5 via Shishi too.

/Simon

> Thanks.
>
>
> On 3/20/07, Simon Josefsson <address@hidden> wrote:
>> "Ashwin Ganti" <address@hidden> writes:
>>
>> >> Hello Ashwin!  From what you describe, I think you'll need to
>> >> implement both PAM and GSS-API support for your security mechanism.
>> >> The reason is that PAM and GSS-API are two quite different things.
>> >> They are not two solutions to the same problem.
>> >
>> > Would PAM in someway need to interact with GSSAPI or can the security
>> > mechanism be directly implemented in a PAM module ?
>>
>> It depends on your system architecture.
>>
>> It is possible to build a PAM module that implements your security
>> infrastructure internally, without any use of GSSAPI, much like the
>> /etc/passwd PAM module etc.  BUT, NFS and SSH will not support it
>> automatically, it will still treat it as a username/password-derived
>> backend.
>>
>> It may be possible to implement a PAM module that calls GSS-API
>> functions to perform the host login, but I don't recall seeing anyone
>> doing that.  For example, while I don't really know for sure, I think
>> that all the Kerberos 5 PAM modules use native krb5 APIs instead of
>> GSS-API.  Your security architecture is equivalent to krb5 from this
>> conceptual point of view.
>>
>> Btw, there is a very simple PAM module for Shishi (our krb5
>> implementation) inside Shishi, see extra/pam_shishi/.
>>
>> >> You'll need PAM for local host-login to the system.  If your security
>> >> mechanism can verify passwords, having a PAM mechanism will solve the
>> >> problem for ssh servers too.
>> >
>> > does this mean that ssh uses pam based authentication...if i am not
>> > mistaken openssh has gssapi support in that too...not sure which one
>> > is being used now..
>>
>> Yes, SSH servers often use PAM to do authentication and authorization,
>> especially when SSH is used with passwords are used.
>>
>> SSH also supports GSS-API, to be able to support new security
>> infrastructures over the wire.
>>
>> Keep in mind that PAM doesn't have anything to do with the bits and
>> bytes sent over the network, while GSS-API is all about that.
>>
>> >> You'll need to write a GSS-API mechanism for NFS and SSH, especially
>> >> if your security mechanism is not based on passwords.  Fortunately,
>> >> both NFS and SSH support GSS-API, but for some other protocols (e.g.,
>> >> TLS or EAP) you'll have add support for your security mechanism
>> >> directly since there is no standard way to use a GSS-API mechanism in
>> >> those protocols.
>> >>
>> > as of now I am more concerned with getting this working with SSH and
>> > NFS...so from your comment I think GSSAPI should solve my immediate
>> > problem...
>>
>> Yes, for NFS you definitely need GSS-API, and it will work for SSH
>> too.  You may need PAM support too, but it seems less important.
>>
>> >> I hope this helps.  If you want write your GSS-API mechanism and ship
>> >> it with GNU GSS, that would be a welcome contribution!  The intention
>> >> is that GNU GSS should be a flexible plugin-architecture for all kinds
>> >> of GSS-API mechanisms.  I have thought about a dlopen() approach,
>> >> which would allow you to hook into GNU GSS at run-time, without having
>> >> a link-dependency between GNU GSS and your project, which sometimes
>> >> (especially when packaging the both projects for Debian etc) can be
>> >> beneficial.
>> >>
>> >
>> > Thanks a lot for the information Simon.I would love to have this ship
>> > with GNU-GSS but I guess there is still a long way for me to go in
>> > implementing this. I still need to fully understand the internals of
>> > GSSAPI before I have this ready.
>> > I shall get back with further queries if I have any , once I start the
>> > implementation.
>>
>> Sounds great.  If you want to share any information on the security
>> infrastructure, I can give early comments on it.
>>
>> /Simon
>>
>
>
> -- 
> Impossibility is a relative concept