[ On , September 25, 2002 at 19:28:02 (+0200), Love wrote: ]
> Subject: Re: PAM
>
> woods@weird.com (Greg A. Woods) writes:
> >
> > For "bit-rotting research projects" I suspect you're referring to Robert
> > Watson's experimental implementation of a new design in FreeBSD (and
> > perhaps Linux too?):
> > 
> > 	http://www.watson.org/fbsd-hardening/tokens/fbsd-tokens-0.2/docs/proposal.txt
> 
> With the exception that this still requires PAM since there is no way to
> modify another process's pag.

No, it does not _require_ PAM.  I think your PAM blinders are preventing
you from seeing the obvious alternatives.

> > Watson does also advocate PAM, it's not a fundamental part of the design
> > he promotes.
> 
> It is

No, it is not.  Watson's proposal works perfectly well for static-linked
code.

> since there is no set_pag_for_pid() in his api.

That's a different problem.  Static linked code does not require by
definition that the authentication be done in a separate process.  A
separate process simply lends one a number of new features.  Whether
those features are usefull or not depends highly on the circumstances
where and why a particular auth scheme is being used.

Indeed in Watson's API there isn't a way to modify/assign the PAG for
another proces, but that's a pretty trivial and obvious modification to
make.  Take off your PAM blinders!  ;-)


> > Douglas Engert has also implemented some interesting ideas in this area:
> > 
> > 	http://www.ornl.gov/~jar/dfs-afs.html
> 
> Same thing here.

You apparently didn't read far/closely enough:

   SUGGESTED MODIFICATION

   If the PAG can be created, but not initialized, in one process with a
   simple syscall, then filled in using set_login_set_context from some
   child process, then this would solve a number of problems.

 [[ .... ]]

   Separating the creation of the PAG from filling it in with
   information is exactly the way AFS did it, the pagsh program for
   example creates the PAG, and the klog program running as a child
   process adds the AFS tickets.

 [[ .... ]]

   I have successfully created a DCE version of the pagsh which gets the
   PAG using the syscall, and a program k5dcelog which uses
   sec_login_set_context to fill it in. These currently runs on the
   Solaris 2.5. I will be trying them on at least AIX 4.2 and HPUX 10.20
   using DCE 1.1 based systems.  Looking at the DCE 1.2.2 source, this
   sould continue to work.

-- 
								Greg A. Woods

+1 416 218-0098;            <g.a.woods@ieee.org>;           <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>