Subject: PAM pwcheck method ?
From: Etienne Goyer (etienne dot goyer at linuxquebec dot com)
Date: Tue May 06 2003 - 12:13:44 EDT
I am in need of a pwcheck method that can authenticate to Kerberos V
domain. Right now, I am experimenting with saslauthd+gssapi. I recall
to have seen somewhere that this is what CMU is currently using. I was
hoping that it would fit my requirements but unfortunately it is giving
me a few headaches.
According to Valgrind, there is two memory leak in the gssapi plugin to
saslauthd distributed with 2.1.13. One I sent a fix to the list, the
other I chased for a few hours without success. I can work around them
with -n0 argument to saslauthd, but this is still causing me concern.
Also, a repeatable condition which may happen in my environnement
make saslauthd segfault (this was reported to the list a few weeks ago;
nobody did a follow-up). Beside that, I found saslauthd is behaving
erratically under load. Sometime, an saslauthd process would die in my
test after serving a few hundreds or a few thousands connections.
Overall, I am not very happy about it.
I had been discussing outside the list with Michael Bacon of Duke about
similar problems he had and he sent me a patch to add PAM as a pwcheck
method to Cyrus-SASL. The patch applied and compiled without any
problem. My preliminary test where satisfying; the performance was
correct and there was no leak or instability that I could find.
So my question to the maintainers is : would it possible to consider
having a PAM pwcheck method added to Cyrus-SASL (be it Michael Bacon
patch or something else) ? I know my requirements does not dictate the
developpement agenda of Cyrus-SASL, but i think this could be useful for
many people. I also believe that, considering PAM flexibility and
robustess, it would represent a better choice over saslauthd for most
setup. Why bother with a separate process if you can do something
within a proven library ?
Thank you for considering my point of view. I hope people more
knowledgable than me could share their opinion on the subject.
-- Etienne Goyer Linux Québec Technologies Inc. http://www.LinuxQuebec.com etienne dot goyer at linuxquebec dot com PGP Pub Key: http://www.LinuxQuebec.com/pubkeys/eg.key Fingerprint: F569 0394 098A FC70 B572 5D20 3129 3D86 8FD5 C853