[OpenAFS-port-darwin] aklog/afslog at console login and Mac OS 10.2
David Botsch
dwb7@ccmr.cornell.edu
Mon, 30 Sep 2002 17:07:13 -0400
If true, it makes you wonder what the point of having pam is ... just
to make things like sshd happy? Maybe I misunderstood what Apple was
saying about including pam and about replacing the apis in place with
the login authenticators in 10.1 (but I'm not the only one with the
impression that loginwindow would use pam, allowing us to just plugin
whatever type of auth we needed).
Is this type of authentication .. pam to security server .. why we have
a "system.login.pam" key in /etc/authorization ?
The next obvious question would be, then, what about replacing the
loginwindow with something like gdm, that works with pam, but having it
still start the normal OS X GUI isntead of XWindows?
On 2002.09.30 16:58 Alexei Kosut wrote:
> On Mon, Sep 30, 2002 at 04:23:01PM -0400, David Botsch wrote:
> > What I have failed to get working, however, is the loginwindow auth
> via
> > pam.
>
> I'm not sure that this is possible. It's possible to do SecurityAgent
> authentication from PAM-enabled programs (with pam_securityserver.so),
> but I've found no indication that there's a way to do the reverse.
> Certainly none of the usual suspects (loginwindow, SecurityServer,
> SecurityAgent, etc...) link against the PAM libraries.
>
> I think that loginwindow authentication is pluggable only with
> Security Agent plugins. I suppose you could write such a plugin that
> did PAM, but the API here looks even harder to reverse-engineer than
> most private Apple APIs (it appears to be C++).
>
> --
> Alexei Kosut <akosut@cs.stanford.edu>
> <http://rescomp.stanford.edu/~akosut/>
>
--
********************************
David William Botsch
Consultant/Advisor II
CCMR Computing Facility
dwb7@ccmr.cornell.edu
********************************