OpenID PAM module [closed]
https://stackoverflow.com/questions/4560965
-
14-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am looking for a PAM module that can use OpenID to do the authentication. My idea is that I want to logon my Linux box using my gmail account and password. I found there is a open source project in Google Code which seems to be doing the things I want but I don't see any code available for download.
I saw there are so many examples or implementations but they are all about web apps. Is there any non-web based OpenID applications in the world? Is it technically possible to make a non-web based OpenID application? I naively think that it should be possible. I can emulate whatever packets the browser send out to the OpenID provider and get back the result. As long as my Linux box is connected to the Internet, I should be able to use my OpenID to login.
Appreciate any comments, suggestions or pointers on how to make an OpenID PAM module.
Thanks!
Solution
I may misundertood the request, but Google (for exemple) provide a way to allow Client side and installed application to authenticate throught Google's API using OpenAUTH 2.0 standards.
As you can see in Using OAuth 2.0 for Installed Applications or even more in Using OAuth 2.0 for Devices.
Yes you're still needed to use browser interaction etc, but, python as well as ASP.NET are able to handle web request and for the Linux part, Gnome too through the WebKitGTK+ tools.
It may be a lead for your research.
Oh and by the way, about WebServices and OpenID etc, the pam module could be write in Python (for WebServer part) and be integrated to Gnome 3.2 easily (Also Python to modificate Gnome-Keyring API), AND in ASP.NET for the windows side.
But once again, I'm not a specialist of this question, just far interested by. ;-)
OTHER TIPS
It's not the issue of the provider trusting the relying party.
The problem is in that the user has to trust it.
There are, however, three other issues:
- Whatever you do, you can't guarantee your user that your pam module doesn't steal his password.
- Since there's no unified authentication mechanism among providers, you would still need to display an interactive browser window. I don't think that pam modules can be interactive, though.
- The module would have to be a http server in order to be able to receive responses.
I found this one. JumpCloud
It looks like it could do the trick, if you use LDAP.
Ok, the idea of JumpCloud is that they provide the LDAP-to-Google OAUTH connection, so if you setup your system to authenticate through LDAP, but set it to check JumpCloud's LDAP, and not your local system, then you should be able to login using a Google domain account.
