OpenID + PAM?
I’ve had more than a few people ask me about if there is support for PAM for OpenID. My original answer had always been for folks to check out the pam-openid module over at Google Code.
Unfortunately, there isn’t much code there at all and the blog for the site had something happen to it and so they lost all of their posts. The gist is, the pam-openid module isn’t available right now.
Has anybody else looked at doing this? Anybody willing to help make it happen?
I can see all kinds of opportunities for linking together applications and resources all across your network with OpenID. Hooking it into PAM would give you a couple of great options; leveraging existing account stores like LDAP or the ability to create a new store that hooks into OpenID.
I’m all ears and would love to help make this happen. Another fantastic (possible) application of OpenID.
Perhaps freeradius, or something else PAM can already back on to, might be more appropriate.
openid pam module would be great! :)
I have been looking for that about 6 months already. I would like to authenticate ssh connections using OpenID
I would love to see a pam OpenID module. On the other hand, I’m not really sure how it would work. It seems like OpenID is more of a Pam Replacement than a pam module. The whole idea behind Pam is that applications need to be re-written to support pam, and then transparently we can install additional pam modules.
How would this work with OpenID?
Taking the ssh example – I would love to type:
ssh -l https://id.mayfirst.org/jamie myserver.org
Then, the ssh client would prompt me for a password. Would I enter my password? If I did, and ssh passed it on to the ssh server, which would pass it on to Pam… then what? Is there an OpenID specification for a consumer to give the provider a password and get a response? My understanding is that the consumer has to redirect the user’s browser to the provider and the provider asks the consumer for the password. How would this work in an environment where there is no browser?
Another angle… suppose we wanted to get Horde IMP (a web-based IMAP client) to support OpenID. Horde IMP could be redesigned to to the browser redirection – so we don’t have to give Horde IMP our password at all, allowing our OpenID provider to do the verification. But then Horde IMP can’t access our email – because normally Horde IMP caches our password, sending it to our IMAP server on every request. Here’s where an OpenID pam module could step in. If Horde IMP could get a Kerberos style token from the OpenID provider and pass that on to the IMAP server, which would pass it on to Pam, which would verify that it is accurate… Is there a spec like this being discussed with OpenID?
Of course, maybe I just don’t get it and there’s a much easier or simpler way to do this.
Thoughts are welcome.
> How would this work in an environment where there is no browser?
Probably it will not if browser is required by OpenID. Is it?
But anyway browser requirement is OK because browser is widely used/known software.
For example I have an ID card to authenticate against OpenID service and ID card software is also needed (asks for pin code). If there is no ID card software it also does not work.
Have you seen Gracie?
http://trac.whitetree.org/gracie/
I wasn’t able to get it running on Fedora, but i ran out of time for it…
Is this idea dead? Is there any code at all? I might be interested in helping out, please contact me.