[OpenAFS] experience using pam for unified login (system/
databases)
Charles Clancy
security@xauth.net
Tue, 17 Sep 2002 21:09:25 -0500 (CDT)
> > I am currently searching for a way to provide a unified login to both our
> > system and to our databases (currently mysql, next-up will be possibly
>
> It's easy. You'll have to replace your adduser-script by a modification
> which automatically adds the user to both, the system and the database.
There's a difference between password syncronization and single signon.
Single signon implies that after typing your password once, you never have
to type it again during a given login session.
For true single-signon, you'd need something like Kerberos. AFS supports
it, but not every application does. The pam_krb5 module only seems to
support password authentication. What you need is to build native
kerberos support into your services. Unfortunately, MySQL doesn't support
anything other than its internal authentication mechanisms.
With the right set of clients and servers, you can get single-signon to
work with Windows ADS, AFS, IMAP, and SSH, among others.
[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]