Re: PAM and libpwdb
Andrew Morgan wrote:
> >
> > Something else that would be cool would be a PAM (or NSS?) module for
> > getting one's password from the Samba-format encrypted password file
> > instead of /etc/shadow. It really does the same thing, it's just that
> > using the WinNT-compatible encryption format, one can use WinNT password
> > encryption on the net.
> >
> > (NT encryption, unlike LanManager encryption, is actually useful for
> > security.)
>
> Where PAM is currently weak is with respect to non-password based
> authentication. The last couple of releases of the Linux-PAM tar ball
> have included support for a client side PAM implementation. IMHO, this
> is the missing link for taking PAM to the next level. I've already used
> it to implement a fingerprint authentication scheme (using one of these
> biomouse things http://abio.com/), and with the recent changes in US and
> kernel.org policies, I'm hopeful that I'll soon be able to distribute
> some strong mutual authentication schemes as PAM module/agents.
>
Well, this would still be a password-based scheme (unlike, say,
authenticating via an NT domain server.) Just a different encryption
scheme, really.
> Is that a reasonable summary?
Sure is.
-hpa
--
<hpa@transmeta.com> at work, <hpa@zytor.com> in private!
"Unix gives you enough rope to shoot yourself in the foot."
Reply to: