Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

OpenID PAM module [closed]

I am looking for a PAM module that can use OpenID to do the authentication. My idea is that I want to logon my Linux box using my gmail account and password. I found there is a open source project in Google Code which seems to be doing the things I want but I don't see any code available for download.

I saw there are so many examples or implementations but they are all about web apps. Is there any non-web based OpenID applications in the world? Is it technically possible to make a non-web based OpenID application? I naively think that it should be possible. I can emulate whatever packets the browser send out to the OpenID provider and get back the result. As long as my Linux box is connected to the Internet, I should be able to use my OpenID to login.

Appreciate any comments, suggestions or pointers on how to make an OpenID PAM module.

Thanks!

like image 761
Harvey Kwok Avatar asked Dec 30 '10 07:12

Harvey Kwok


People also ask

Where are PAM modules located?

This PAM module typically is located in the /usr/lib/security directory and its parameters are listed in the /etc/pam. conf file. In Linux, the /etc/pam. conf file can be replaced with a directory called /etc/pam.

How does PAM authentication work?

Linux-PAM separates the tasks of authentication into four independent management groups: account modules check that the specified account is a valid authentication target under current conditions. This may include conditions like account expiration, time of day, and that the user has access to the requested service.

What PAM module type is used for authentication?

auth — These modules are used to authenticate the user by, for example, asking for and checking a password. It can also set credentials, such as group membership or Kerberos tickets.


2 Answers

I may misundertood the request, but Google (for exemple) provide a way to allow Client side and installed application to authenticate throught Google's API using OpenAUTH 2.0 standards.

As you can see in Using OAuth 2.0 for Installed Applications or even more in Using OAuth 2.0 for Devices.

Yes you're still needed to use browser interaction etc, but, python as well as ASP.NET are able to handle web request and for the Linux part, Gnome too through the WebKitGTK+ tools.

It may be a lead for your research.

Oh and by the way, about WebServices and OpenID etc, the pam module could be write in Python (for WebServer part) and be integrated to Gnome 3.2 easily (Also Python to modificate Gnome-Keyring API), AND in ASP.NET for the windows side.

But once again, I'm not a specialist of this question, just far interested by. ;-)

like image 126
Dr I Avatar answered Sep 20 '22 22:09

Dr I


It's not the issue of the provider trusting the relying party.

The problem is in that the user has to trust it.

There are, however, three other issues:

  1. Whatever you do, you can't guarantee your user that your pam module doesn't steal his password.
  2. Since there's no unified authentication mechanism among providers, you would still need to display an interactive browser window. I don't think that pam modules can be interactive, though.
  3. The module would have to be a http server in order to be able to receive responses.
like image 43
Mewp Avatar answered Sep 20 '22 22:09

Mewp