[keycloak-dev] PAM integration with FreeIPA
Bruno Oliveira
bruno at abstractj.org
Fri Jun 24 11:03:15 EDT 2016
On 2016-06-24, John Dennis wrote:
> On 06/24/2016 10:02 AM, Stian Thorgersen wrote:
> > We can support authentication over multiple steps as we already do that
> > for OTP. However, the problem will be with regards to the conversation
> > as this would require sticky sessions if clustered to make sure the
> > second step is sent to the same node. Can't PAM verify the two
> > independently? First password, then separately OTP? That would make it
> > much simpler and stateless.
>
> PAM is implemented as a C language library running in the address space of a
> single process (remember I said it was 20 years old :-). The state is kept
> in the address space of that process. That is the primary limitation and
> would really restrict you with regards to distributing the conversation
> across processes.
>
> I'd don't know if anyone has tried to address this, perhaps others in our
> group would know. It's been years since I coded PAM I hope my recollections
> are correct on all accounts.
>
> This constraint should not be an issue for simple username/password auth
> because the PAM conversation can be completed as part of one single HTTP
> request.
>
> My thought here (but I don't have the final say) is let's not worry about
> this for the first implementation. If we can avoid boxing ourselves in by
> some implementation design choice we should take it into consideration if
> possible.
My limited knowledge, says that's possible with pam-radius-auth[1], but
I wouldn't risk it before perform some tests. I agree with John here,
plus libpam4j only supports username/password.
I get the feeling that if we take this road, certainly we gonna end up
with our own bindings for libpam.
[1] - http://freeradius.org/pam_radius_auth/
>
> --
> John
--
abstractj
PGP: 0x84DC9914
More information about the keycloak-dev
mailing list