authentication

[Charlie Brady]

On Fri, 24 Oct 1997, Luke Kenneth Casson Leighton wrote:

> On Fri, 24 Oct 1997, Leslie Mikesell wrote:
> 
> > I know the domain authentication business is pretty new, but are
> > there any plans to integrate it with anything beyond windows clients?
> > That is, could I someday hope to have a single password file and
> > server and validate everything against it through combinations of
> > PAM/radius/CHAP/PAP/LDAP/NIS+ or something not invented yet?
> 
> i'm going to say yes.  but it depends on whether someone does any work on 
> this or not.  i'm currently working on smbclient, so that i can test 
> smbd, and also so that it will be relatively simple for someone to write 
> a PAM for linux.

To answer Leslie's question in a different way, and in fact to restate
the question:

> > That is, could I someday hope to have a single password file and 
> > server and validate everything against it through combinations of
> > radius/CHAP/PAP/LDAP/NIS+ or something not invented yet?

Yes, this is precisely the intention of PAM - to move the authentication
code out of applications which require authentication, and leave behind
hooks into a programmable authentication subsystem. Then you can have one
or more authentication databases, as you wish, without the applications
being modified. PAM exists for Linux (www.kernel.org/pub/linux/libs/pam/)
and Solaris, and might be on the way for FreeBSD. It's designed to be a
portable standard.

Getting back to the original question, PAM is not another alternative to
radius/CHAP/ etc, but a nice unifying way of using all those from
applications. A PAM module for LDAP especially welcome, I would guess.
Ditto for ports to other platforms.

Charlie Brady - Telstra  |internet: cbrady at ind.tansu.com.au
Network Products         |Snail    : Locked Bag 6581, GPO Sydney 2001 Australia
Platform Technologies    |Physical : Lvl 2, 175 Liverpool St, Sydney 2000
 IN-Sub Unit - Sydney    | Phone: +61 2 9206 3470 Fax: +61 2 9281 1301