Login/Register
OpenID PAM module [closed]
Asked Answered
Solved linuxsecurityauthenticationopenidpam
T

3

14

I am looking for a PAM module that can use OpenID to do the authentication. My idea is that I want to logon my Linux box using my gmail account and password. I found there is a open source project in Google Code which seems to be doing the things I want but I don't see any code available for download.

I saw there are so many examples or implementations but they are all about web apps. Is there any non-web based OpenID applications in the world? Is it technically possible to make a non-web based OpenID application? I naively think that it should be possible. I can emulate whatever packets the browser send out to the OpenID provider and get back the result. As long as my Linux box is connected to the Internet, I should be able to use my OpenID to login.

Appreciate any comments, suggestions or pointers on how to make an OpenID PAM module.

Thanks!

Turrell answered 30/12, 2010 at 7:54 Comment(8)
How would the OpenID provider have the user confirm the request?Cammie
@Ignacio Am I completely misunderstanding some foundamental concept? I already have a gamil account [email protected]. Gmail is my OpenID provider. I can configure my OpenID PAM module to use gmail.com as the OpenID provider. Then, I can logon my Linux box by typing "[email protected]" as the username and then type in my gmail account password. PAM module will contact gmail.com and gmail.com can of course confirm my request because it knows my [email protected] account and it knows my password. Gmail.com confirms if the credentials is valid.Turrell
It's impossible to make a secure, non-web openid authentication for a simple reason: OpenID depends on the fact that you know you're connected to the provider. In all other cases, an relying party (eg. the pam module) could intercept your login and password, and you don't want that. Since non-web apps can't be trusted to not intercept your traffic/keystrokes, you can't implement openid outside of the web. As for a pam module, there's another problem: authentication with a provider requires user interaction. Gmail doesn't know you unless you give it your password.Milner
@Milner I have just downloaded DotNetOpenAuth dotnetopenauth.net. Yes, it's .NET code and I am primary a .NET programmer. I just ran an ASP.NET sample. I can have my webapp on my local machine using OpenID to authenticate me using yahoo and gmail account. The local webapp has the URL localhost/xxxx. It appears to me that both gmail and yahoo can trust something from localhost. If that's the case, the PAM module can emulate the web app to do all the communication with OpenID provider, including the user interaction part. Am I completely off base?Turrell
It's not the issue of the provider trusting the relying party. The problem is in that the user has to trust it. Basically, whatever you do, you can't guarantee your user that your pam module doesn't steal his password. Another issue is that, since there's no unified authentication mechanism among providers, you would still need to display an interactive browser window. I don't think that pam modules can be interactive, though. Third issue: the module would have to be a http server in order to be able to receive responses.Milner
@Milner Thanks! If you paste the last comment as an answer, I will accept it.Turrell
(2) If you don't trust your systems administrators to have installed a trustworthy authentication module, why do you trust them to have not manipulated the web browser to steal your details?Erechtheum
(1) Many practical applications would only need this to work for one ID provider as many organisations choose only 1 external provider to work with, e.g. Google for Work.Erechtheum
A
6

I may misundertood the request, but Google (for exemple) provide a way to allow Client side and installed application to authenticate throught Google's API using OpenAUTH 2.0 standards.

As you can see in Using OAuth 2.0 for Installed Applications or even more in Using OAuth 2.0 for Devices.

Yes you're still needed to use browser interaction etc, but, python as well as ASP.NET are able to handle web request and for the Linux part, Gnome too through the WebKitGTK+ tools.

It may be a lead for your research.

Oh and by the way, about WebServices and OpenID etc, the pam module could be write in Python (for WebServer part) and be integrated to Gnome 3.2 easily (Also Python to modificate Gnome-Keyring API), AND in ASP.NET for the windows side.

But once again, I'm not a specialist of this question, just far interested by. ;-)

Acetum answered 19/3, 2012 at 8:6 Comment(1)
Just a little edit to point out this quite good news: Google just release a way to authorize services to communicate with API without user interaction - hereAcetum
M
1

It's not the issue of the provider trusting the relying party.

The problem is in that the user has to trust it.

There are, however, three other issues:

  1. Whatever you do, you can't guarantee your user that your pam module doesn't steal his password.
  2. Since there's no unified authentication mechanism among providers, you would still need to display an interactive browser window. I don't think that pam modules can be interactive, though.
  3. The module would have to be a http server in order to be able to receive responses.
Milner answered 3/1, 2011 at 16:50 Comment(3)
From your experience, how often is the OpenID provider (e.g. Google or Yahoo) change their authentication interface? In the near future, will the OpenID provider comes up with some standardized authentication mechanism?Turrell
In my opinion, it's not about the authentication interface of any single provider -- it's about that you can't possibly implement the interface for every provider that exists. As far as I know, there are no plans to include a standard authentication mechanism for providers in the OpenID standard. However, I'm not the right person to ask. You'd probably get a better answer by asking on the OpenID mailing list or at some other place directly related to the OpenID Foundation.Milner
+1 Thanks for all your information :)Turrell
P
-3

I found this one. JumpCloud

It looks like it could do the trick, if you use LDAP.

Ok, the idea of JumpCloud is that they provide the LDAP-to-Google OAUTH connection, so if you setup your system to authenticate through LDAP, but set it to check JumpCloud's LDAP, and not your local system, then you should be able to login using a Google domain account.

Pint answered 12/1, 2017 at 15:52 Comment(3)
The question isn't great but I don't see how that service helps in having an PAM module in Linux.Rogelioroger
Although adding a link to your answer is a good idea, you should always try and add further description to your answer incase the link is no longer in use at a later stage in which case the answer would be next to pointless.Gregorygregrory
Ok, the idea of JumpCloud is that they provide the LDAP-to-Google OAUTH connection, so if you setup your system to authenticate through LDAP, but set it to check JumpCloud's LDAP, and not your local system, then you should be able to login using a Google domain account.Pint

© 2022 - 2024 — McMap. All rights reserved.