which krb5 PAM module on Solaris 8?

Sam Hartman hartmans at MIT.EDU
Mon Aug 4 13:53:37 EDT 2003

>>>>> "Brian" == Brian Davidson <bdavids1 at gmu.edu> writes:

    Brian> Why not use nsswitch for authorization?  I'm assuming it's
    Brian> available on Solaris since Sun developed it (I don't have
    Brian> any Solaris boxes at the moment).  Basically all password
    Brian> file lookups are redirected to LDAP via nss_ldap.  It seems
    Brian> to me that authentication is best left to PAM, while
    Brian> authorization is better handled by a hook into the system
    Brian> calls that are used for authorization (i.e. what nsswitch
    Brian> does).

Because existence in the password file should not be tied to
authorization.  I might want (and in fact do) all my users to exist in
my password files so that ls works, so that I can do group to name
mappings, etc.

I do not want that to imply authorization.

Also, for things like time-of-day based authorization, having the user
suddenly drop out of the password file would be undesirable.

PAM has hooks for this; they work about as well as the rest of PAM.

More information about the Kerberos mailing list