PAM vs GSSAPI?

Hi ,

We are implementing a new security mechanism (similar to
kerberos) and
want to integrate it with apps like nfs, ssh etc..

What I am wondering here is whether to have a PAM module
that
implements the security mechanism ( similar to pam_krb5) or
to provide
a GSSAPI implementation.

For example I have checked code for openSSH only to see that
it seems
to have both PAM support and GSSAPI usage too. I am not sure
which one
is being used for kerberos now.

I am a newbie in all this and am confused as to how to go
about with this.

What I am thinking is to provide the GSSAPI implementation
for our
security mechanism and write a PAM module ( say pam_gss) to
authenticate using GSSAPI. I dont know if this would work.

I am not sure as to how kerberos handles all this ( we need
to more or
less follow on similar lines and it would be very useful to
know in
what way kerberos is being used by these apps)

Basically I need the new security mechanism to be used by
all the
applications ( NFS, ssh etc.) and am not sure as to how to
go about
providing that.

Any help or info regarding this would be greatly
appreciated. Also
please let me know if this is not the right forum to post
this or if
there is anyother place.

Thanks,
Ashwin.


_______________________________________________
Help-gss mailing list
Help-gssgnu.org
http:/
/lists.gnu.org/mailman/listinfo/help-gss

"Ashwin Ganti" <ashwin.gantigmail.com> writes:

> Hi ,
>
> We are implementing a new security mechanism (similar
to kerberos) and
> want to integrate it with apps like nfs, ssh etc..
>
> What I am wondering here is whether to have a PAM
module that
> implements the security mechanism ( similar to
pam_krb5) or to provide
> a GSSAPI implementation.
>
> For example I have checked code for openSSH only to see
that it seems
> to have both PAM support and GSSAPI usage too. I am not
sure which one
> is being used for kerberos now.
>
> I am a newbie in all this and am confused as to how to
go about with this.
>
> What I am thinking is to provide the GSSAPI
implementation for our
> security mechanism and write a PAM module ( say
pam_gss) to
> authenticate using GSSAPI. I dont know if this would
work.
>
> I am not sure as to how kerberos handles all this ( we
need to more or
> less follow on similar lines and it would be very
useful to know in
> what way kerberos is being used by these apps)
>
> Basically I need the new security mechanism to be used
by all the
> applications ( NFS, ssh etc.) and am not sure as to how
to go about
> providing that.
>
> Any help or info regarding this would be greatly
appreciated. Also
> please let me know if this is not the right forum to
post this or if
> there is anyother place.

Hello Ashwin!  From what you describe, I think you'll need
to
implement both PAM and GSS-API support for your security
mechanism.
The reason is that PAM and GSS-API are two quite different
things.
They are not two solutions to the same problem.

You'll need PAM for local host-login to the system.  If your
security
mechanism can verify passwords, having a PAM mechanism will
solve the
problem for ssh servers too.

You'll need to write a GSS-API mechanism for NFS and SSH,
especially
if your security mechanism is not based on passwords. 
Fortunately,
both NFS and SSH support GSS-API, but for some other
protocols (e.g.,
TLS or EAP) you'll have add support for your security
mechanism
directly since there is no standard way to use a GSS-API
mechanism in
those protocols.

I hope this helps.  If you want write your GSS-API mechanism
and ship
it with GNU GSS, that would be a welcome contribution!  The
intention
is that GNU GSS should be a flexible plugin-architecture for
all kinds
of GSS-API mechanisms.  I have thought about a dlopen()
approach,
which would allow you to hook into GNU GSS at run-time,
without having
a link-dependency between GNU GSS and your project, which
sometimes
(especially when packaging the both projects for Debian etc)
can be
beneficial.

/Simon


_______________________________________________
Help-gss mailing list
Help-gssgnu.org
http:/
/lists.gnu.org/mailman/listinfo/help-gss

> Hello Ashwin!  From what you describe, I think you'll
need to
> implement both PAM and GSS-API support for your
security mechanism.
> The reason is that PAM and GSS-API are two quite
different things.
> They are not two solutions to the same problem.

Would PAM in someway need to interact with GSSAPI or can the
security
mechanism be directly implemented in a PAM module ?

> You'll need PAM for local host-login to the system.  If
your security
> mechanism can verify passwords, having a PAM mechanism
will solve the
> problem for ssh servers too.

does this mean that ssh uses pam based authentication...if i
am not
mistaken openssh has gssapi support in that too...not sure
which one
is being used now..

>
> You'll need to write a GSS-API mechanism for NFS and
SSH, especially
> if your security mechanism is not based on passwords. 
Fortunately,
> both NFS and SSH support GSS-API, but for some other
protocols (e.g.,
> TLS or EAP) you'll have add support for your security
mechanism
> directly since there is no standard way to use a
GSS-API mechanism in
> those protocols.
>
as of now I am more concerned with getting this working with
SSH and
NFS...so from your comment I think GSSAPI should solve my
immediate
problem...

> I hope this helps.  If you want write your GSS-API
mechanism and ship
> it with GNU GSS, that would be a welcome contribution! 
The intention
> is that GNU GSS should be a flexible
plugin-architecture for all kinds
> of GSS-API mechanisms.  I have thought about a dlopen()
approach,
> which would allow you to hook into GNU GSS at run-time,
without having
> a link-dependency between GNU GSS and your project,
which sometimes
> (especially when packaging the both projects for Debian
etc) can be
> beneficial.
>

Thanks a lot for the information Simon.I would love to have
this ship
with GNU-GSS but I guess there is still a long way for me to
go in
implementing this. I still need to fully understand the
internals of
GSSAPI before I have this ready.
I shall get back with further queries if I have any , once I
start the
implementation.


> /Simon
>


-- 
Impossibility is a relative concept


_______________________________________________
Help-gss mailing list
Help-gssgnu.org
http:/
/lists.gnu.org/mailman/listinfo/help-gss

"Ashwin Ganti" <ashwin.gantigmail.com> writes:

>> Hello Ashwin!  From what you describe, I think
you'll need to
>> implement both PAM and GSS-API support for your
security mechanism.
>> The reason is that PAM and GSS-API are two quite
different things.
>> They are not two solutions to the same problem.
>
> Would PAM in someway need to interact with GSSAPI or
can the security
> mechanism be directly implemented in a PAM module ?

It depends on your system architecture.

It is possible to build a PAM module that implements your
security
infrastructure internally, without any use of GSSAPI, much
like the
/etc/passwd PAM module etc.  BUT, NFS and SSH will not
support it
automatically, it will still treat it as a
username/password-derived
backend.

It may be possible to implement a PAM module that calls
GSS-API
functions to perform the host login, but I don't recall
seeing anyone
doing that.  For example, while I don't really know for
sure, I think
that all the Kerberos 5 PAM modules use native krb5 APIs
instead of
GSS-API.  Your security architecture is equivalent to krb5
from this
conceptual point of view.

Btw, there is a very simple PAM module for Shishi (our krb5
implementation) inside Shishi, see extra/pam_shishi/.

>> You'll need PAM for local host-login to the system.
 If your security
>> mechanism can verify passwords, having a PAM
mechanism will solve the
>> problem for ssh servers too.
>
> does this mean that ssh uses pam based
authentication...if i am not
> mistaken openssh has gssapi support in that too...not
sure which one
> is being used now..

Yes, SSH servers often use PAM to do authentication and
authorization,
especially when SSH is used with passwords are used.

SSH also supports GSS-API, to be able to support new
security
infrastructures over the wire.

Keep in mind that PAM doesn't have anything to do with the
bits and
bytes sent over the network, while GSS-API is all about
that.

>> You'll need to write a GSS-API mechanism for NFS
and SSH, especially
>> if your security mechanism is not based on
passwords.  Fortunately,
>> both NFS and SSH support GSS-API, but for some
other protocols (e.g.,
>> TLS or EAP) you'll have add support for your
security mechanism
>> directly since there is no standard way to use a
GSS-API mechanism in
>> those protocols.
>>
> as of now I am more concerned with getting this working
with SSH and
> NFS...so from your comment I think GSSAPI should solve
my immediate
> problem...

Yes, for NFS you definitely need GSS-API, and it will work
for SSH
too.  You may need PAM support too, but it seems less
important.

>> I hope this helps.  If you want write your GSS-API
mechanism and ship
>> it with GNU GSS, that would be a welcome
contribution!  The intention
>> is that GNU GSS should be a flexible
plugin-architecture for all kinds
>> of GSS-API mechanisms.  I have thought about a
dlopen() approach,
>> which would allow you to hook into GNU GSS at
run-time, without having
>> a link-dependency between GNU GSS and your project,
which sometimes
>> (especially when packaging the both projects for
Debian etc) can be
>> beneficial.
>>
>
> Thanks a lot for the information Simon.I would love to
have this ship
> with GNU-GSS but I guess there is still a long way for
me to go in
> implementing this. I still need to fully understand the
internals of
> GSSAPI before I have this ready.
> I shall get back with further queries if I have any ,
once I start the
> implementation.

Sounds great.  If you want to share any information on the
security
infrastructure, I can give early comments on it.

/Simon


_______________________________________________
Help-gss mailing list
Help-gssgnu.org
http:/
/lists.gnu.org/mailman/listinfo/help-gss

Thanks Simon for the information.

Please correct my understanding here:

1. I would need to write a PAM module for authenticating the
user to
the host initially and create his security credential once
she is
authenticated. This module would be using the native
security API that
I would provide.It would be very similar to the pam_krb5
module.
2. Coming to the ssh authentication part since my
authentication
doesnt use passwords ( instead it uses certificates
containing the
authentication information to authenticate the user ), I
would need to
provide a GSSAPI support for the client side as well as the
server
side.

3. This is not related to the current topic but when I was
going
through the pam_shishi there seems to be many TODO's in the
code for
many of the pam support functions. Would it be possible to
include
this as a Google Summer of Code project for this summer . I
would like
to volunteer to work on it to complete the pending
implementation and
put it as the summer of code project. Please let me know if
this is
feasibe or if there is any other work related to this area.

Thanks.


On 3/20/07, Simon Josefsson <simonjosefsson.org> wrote:
> "Ashwin Ganti" <ashwin.gantigmail.com> writes:
>
> >> Hello Ashwin!  From what you describe, I think
you'll need to
> >> implement both PAM and GSS-API support for
your security mechanism.
> >> The reason is that PAM and GSS-API are two
quite different things.
> >> They are not two solutions to the same
problem.
> >
> > Would PAM in someway need to interact with GSSAPI
or can the security
> > mechanism be directly implemented in a PAM module
?
>
> It depends on your system architecture.
>
> It is possible to build a PAM module that implements
your security
> infrastructure internally, without any use of GSSAPI,
much like the
> /etc/passwd PAM module etc.  BUT, NFS and SSH will not
support it
> automatically, it will still treat it as a
username/password-derived
> backend.
>
> It may be possible to implement a PAM module that calls
GSS-API
> functions to perform the host login, but I don't recall
seeing anyone
> doing that.  For example, while I don't really know for
sure, I think
> that all the Kerberos 5 PAM modules use native krb5
APIs instead of
> GSS-API.  Your security architecture is equivalent to
krb5 from this
> conceptual point of view.
>
> Btw, there is a very simple PAM module for Shishi (our
krb5
> implementation) inside Shishi, see extra/pam_shishi/.
>
> >> You'll need PAM for local host-login to the
system.  If your security
> >> mechanism can verify passwords, having a PAM
mechanism will solve the
> >> problem for ssh servers too.
> >
> > does this mean that ssh uses pam based
authentication...if i am not
> > mistaken openssh has gssapi support in that
too...not sure which one
> > is being used now..
>
> Yes, SSH servers often use PAM to do authentication and
authorization,
> especially when SSH is used with passwords are used.
>
> SSH also supports GSS-API, to be able to support new
security
> infrastructures over the wire.
>
> Keep in mind that PAM doesn't have anything to do with
the bits and
> bytes sent over the network, while GSS-API is all about
that.
>
> >> You'll need to write a GSS-API mechanism for
NFS and SSH, especially
> >> if your security mechanism is not based on
passwords.  Fortunately,
> >> both NFS and SSH support GSS-API, but for some
other protocols (e.g.,
> >> TLS or EAP) you'll have add support for your
security mechanism
> >> directly since there is no standard way to use
a GSS-API mechanism in
> >> those protocols.
> >>
> > as of now I am more concerned with getting this
working with SSH and
> > NFS...so from your comment I think GSSAPI should
solve my immediate
> > problem...
>
> Yes, for NFS you definitely need GSS-API, and it will
work for SSH
> too.  You may need PAM support too, but it seems less
important.
>
> >> I hope this helps.  If you want write your
GSS-API mechanism and ship
> >> it with GNU GSS, that would be a welcome
contribution!  The intention
> >> is that GNU GSS should be a flexible
plugin-architecture for all kinds
> >> of GSS-API mechanisms.  I have thought about a
dlopen() approach,
> >> which would allow you to hook into GNU GSS at
run-time, without having
> >> a link-dependency between GNU GSS and your
project, which sometimes
> >> (especially when packaging the both projects
for Debian etc) can be
> >> beneficial.
> >>
> >
> > Thanks a lot for the information Simon.I would
love to have this ship
> > with GNU-GSS but I guess there is still a long way
for me to go in
> > implementing this. I still need to fully
understand the internals of
> > GSSAPI before I have this ready.
> > I shall get back with further queries if I have
any , once I start the
> > implementation.
>
> Sounds great.  If you want to share any information on
the security
> infrastructure, I can give early comments on it.
>
> /Simon
>


-- 
Impossibility is a relative concept


_______________________________________________
Help-gss mailing list
Help-gssgnu.org
http:/
/lists.gnu.org/mailman/listinfo/help-gss

"Ashwin Ganti" <ashwin.gantigmail.com> writes:

> Thanks Simon for the information.
>
> Please correct my understanding here:
>
> 1. I would need to write a PAM module for
authenticating the user to
> the host initially and create his security credential
once she is
> authenticated. This module would be using the native
security API that
> I would provide.It would be very similar to the
pam_krb5 module.

Yes.  Whether or not the PAM module is used for initial
creation of
the security credential is not important.  Initial
registration could
be done outside of PAM, but it seems to be a trend to
provide initial
registration via PAM, typically upgrading an existing
infrastructure
(password-based) into a new security architecture.

> 2. Coming to the ssh authentication part since my
authentication
> doesnt use passwords ( instead it uses certificates
containing the
> authentication information to authenticate the user ),
I would need to
> provide a GSSAPI support for the client side as well as
the server
> side.

If your architecture uses asymmetric algorithms and X.509
certificates, you should probably look at the SSH X.509
authentication
mechanism rather than GSSAPI.  See RFC 4819.  It is possible
to do
X.509 via GSSAPI, but I think RFC 4819 is likely to be more
widely
adopted.

> 3. This is not related to the current topic but when I
was going
> through the pam_shishi there seems to be many TODO's in
the code for
> many of the pam support functions. Would it be possible
to include
> this as a Google Summer of Code project for this summer
. I would like
> to volunteer to work on it to complete the pending
implementation and
> put it as the summer of code project. Please let me
know if this is
> feasibe or if there is any other work related to this
area.

Oh boy, yes, that would indeed be possible, and I'd be very
interested
to work with you on this.  Shishi is a GNU project, and GNU
has been
approved for SOC.  Please sign up as a student if you
haven't done so
already.

I have not had time to submit SOC project ideas yet, but the
deadline
is fast approach (friday!) and I'll see if I can get it done
tonight.

A PAM module may be a bit narrow scope, but if we add
support for
migrating existing users (based on their username+password)
that could
be something useful.  Another idea would be to bring my work
on LSH (a
SSH implementation) with support for GSS-API up to date, so
it
supports Kerberos V5 via Shishi too.

/Simon

> Thanks.
>
>
> On 3/20/07, Simon Josefsson <simonjosefsson.org> wrote:
>> "Ashwin Ganti" <ashwin.gantigmail.com> writes:
>>
>> >> Hello Ashwin!  From what you describe, I
think you'll need to
>> >> implement both PAM and GSS-API support for
your security mechanism.
>> >> The reason is that PAM and GSS-API are two
quite different things.
>> >> They are not two solutions to the same
problem.
>> >
>> > Would PAM in someway need to interact with
GSSAPI or can the security
>> > mechanism be directly implemented in a PAM
module ?
>>
>> It depends on your system architecture.
>>
>> It is possible to build a PAM module that
implements your security
>> infrastructure internally, without any use of
GSSAPI, much like the
>> /etc/passwd PAM module etc.  BUT, NFS and SSH will
not support it
>> automatically, it will still treat it as a
username/password-derived
>> backend.
>>
>> It may be possible to implement a PAM module that
calls GSS-API
>> functions to perform the host login, but I don't
recall seeing anyone
>> doing that.  For example, while I don't really know
for sure, I think
>> that all the Kerberos 5 PAM modules use native krb5
APIs instead of
>> GSS-API.  Your security architecture is equivalent
to krb5 from this
>> conceptual point of view.
>>
>> Btw, there is a very simple PAM module for Shishi
(our krb5
>> implementation) inside Shishi, see
extra/pam_shishi/.
>>
>> >> You'll need PAM for local host-login to
the system.  If your security
>> >> mechanism can verify passwords, having a
PAM mechanism will solve the
>> >> problem for ssh servers too.
>> >
>> > does this mean that ssh uses pam based
authentication...if i am not
>> > mistaken openssh has gssapi support in that
too...not sure which one
>> > is being used now..
>>
>> Yes, SSH servers often use PAM to do authentication
and authorization,
>> especially when SSH is used with passwords are
used.
>>
>> SSH also supports GSS-API, to be able to support
new security
>> infrastructures over the wire.
>>
>> Keep in mind that PAM doesn't have anything to do
with the bits and
>> bytes sent over the network, while GSS-API is all
about that.
>>
>> >> You'll need to write a GSS-API mechanism
for NFS and SSH, especially
>> >> if your security mechanism is not based on
passwords.  Fortunately,
>> >> both NFS and SSH support GSS-API, but for
some other protocols (e.g.,
>> >> TLS or EAP) you'll have add support for
your security mechanism
>> >> directly since there is no standard way to
use a GSS-API mechanism in
>> >> those protocols.
>> >>
>> > as of now I am more concerned with getting
this working with SSH and
>> > NFS...so from your comment I think GSSAPI
should solve my immediate
>> > problem...
>>
>> Yes, for NFS you definitely need GSS-API, and it
will work for SSH
>> too.  You may need PAM support too, but it seems
less important.
>>
>> >> I hope this helps.  If you want write your
GSS-API mechanism and ship
>> >> it with GNU GSS, that would be a welcome
contribution!  The intention
>> >> is that GNU GSS should be a flexible
plugin-architecture for all kinds
>> >> of GSS-API mechanisms.  I have thought
about a dlopen() approach,
>> >> which would allow you to hook into GNU GSS
at run-time, without having
>> >> a link-dependency between GNU GSS and your
project, which sometimes
>> >> (especially when packaging the both
projects for Debian etc) can be
>> >> beneficial.
>> >>
>> >
>> > Thanks a lot for the information Simon.I would
love to have this ship
>> > with GNU-GSS but I guess there is still a long
way for me to go in
>> > implementing this. I still need to fully
understand the internals of
>> > GSSAPI before I have this ready.
>> > I shall get back with further queries if I
have any , once I start the
>> > implementation.
>>
>> Sounds great.  If you want to share any information
on the security
>> infrastructure, I can give early comments on it.
>>
>> /Simon
>>
>
>
> -- 
> Impossibility is a relative concept


_______________________________________________
Help-gss mailing list
Help-gssgnu.org
http:/
/lists.gnu.org/mailman/listinfo/help-gss

Simon Josefsson <simonjosefsson.org> writes:

>> 3. This is not related to the current topic but
when I was going
>> through the pam_shishi there seems to be many
TODO's in the code for
>> many of the pam support functions. Would it be
possible to include
>> this as a Google Summer of Code project for this
summer . I would like
>> to volunteer to work on it to complete the pending
implementation and
>> put it as the summer of code project. Please let me
know if this is
>> feasibe or if there is any other work related to
this area.
>
> Oh boy, yes, that would indeed be possible, and I'd be
very interested
> to work with you on this.  Shishi is a GNU project, and
GNU has been
> approved for SOC.  Please sign up as a student if you
haven't done so
> already.

Btw, some links that you should read if you are really
interested in
this:

http://www.gnu.org/software/soc-projects/guidelines.html


/Simon


_______________________________________________
Help-gss mailing list
Help-gssgnu.org
http:/
/lists.gnu.org/mailman/listinfo/help-gss

Hi Simon,

I am very interesed in working on this.
Please let me know the project idea so that I can write a
proposal and
submit it asap.
I have signed up as a student for SOC.
I shall start working on the proposal once I know the
project idea.

Thanks
Ashwin.

On 3/20/07, Simon Josefsson <simonjosefsson.org> wrote:
> Simon Josefsson <simonjosefsson.org> writes:
>
> >> 3. This is not related to the current topic
but when I was going
> >> through the pam_shishi there seems to be many
TODO's in the code for
> >> many of the pam support functions. Would it be
possible to include
> >> this as a Google Summer of Code project for
this summer . I would like
> >> to volunteer to work on it to complete the
pending implementation and
> >> put it as the summer of code project. Please
let me know if this is
> >> feasibe or if there is any other work related
to this area.
> >
> > Oh boy, yes, that would indeed be possible, and
I'd be very interested
> > to work with you on this.  Shishi is a GNU
project, and GNU has been
> > approved for SOC.  Please sign up as a student if
you haven't done so
> > already.
>
> Btw, some links that you should read if you are really
interested in
> this:
>
> http://www.gnu.org/software/soc-projects/guidelines.html

>
> /Simon
>


-- 
Impossibility is a relative concept


_______________________________________________
Help-gss mailing list
Help-gssgnu.org
http:/
/lists.gnu.org/mailman/listinfo/help-gss

Simon Josefsson <simonjosefsson.org> writes:

> It may be possible to implement a PAM module that calls
GSS-API
> functions to perform the host login, but I don't recall
seeing anyone
> doing that.  For example, while I don't really know for
sure, I think
> that all the Kerberos 5 PAM modules use native krb5
APIs instead of
> GSS-API.  Your security architecture is equivalent to
krb5 from this
> conceptual point of view.

So far as I can tell, it's not possible to obtain initial
credentials with
a password purely through the GSS-API.  I only see
gss_acquire_cred, which
isn't sufficient.  So yes, I'm fairly sure that all Kerberos
PAM modules
use native Kerberos calls.

-- 
Russ Allbery (rrastanford.edu)             <http://www.eyrie.org
/~eagle/>


_______________________________________________
Help-gss mailing list
Help-gssgnu.org
http:/
/lists.gnu.org/mailman/listinfo/help-gss

Russ Allbery <rrastanford.edu> writes:

> Simon Josefsson <simonjosefsson.org> writes:
>
>> It may be possible to implement a PAM module that
calls GSS-API
>> functions to perform the host login, but I don't
recall seeing anyone
>> doing that.  For example, while I don't really know
for sure, I think
>> that all the Kerberos 5 PAM modules use native krb5
APIs instead of
>> GSS-API.  Your security architecture is equivalent
to krb5 from this
>> conceptual point of view.
>
> So far as I can tell, it's not possible to obtain
initial credentials with
> a password purely through the GSS-API.  I only see
gss_acquire_cred, which
> isn't sufficient.  So yes, I'm fairly sure that all
Kerberos PAM modules
> use native Kerberos calls.

Ah, right.  I recalled some GSS-API extensions for initial
acquisition, but I guess they were never implemented widely.
 It might
have been a better approach, though.  But maybe there are
other things
that pam_krb5 do which isn't possible to do via GSS-API?

/Simon


_______________________________________________
Help-gss mailing list
Help-gssgnu.org
http:/
/lists.gnu.org/mailman/listinfo/help-gss