tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: BSD Auth

On Tue, Aug 19, 2008 at 05:13:11PM +0900, SODA Noriyuki wrote:
 > > [kerberos]
 > The authentication module of PAM runs inside of the caller's process,
 > so it's possible to change the state of the process.
 > The authentication module of BSD Auth runs as a differnet process
 > from the caller's process, so it's impossible.

Nonsense. The application process needs to be able to communicate with
the bsdauth process anyway; there's nothing inherent that prevents
such communication from including Kerberos tickets.

Whether bsdauth as it currently exists is actually capable of doing
this properly is another question; but it's also not entirely clear
that PAM as it exists can do this properly either.

David A. Holland

Home | Main Index | Thread Index | Old Index