Linux OpenID PAM 模块
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4560965/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
OpenID PAM module
提问by Harvey Kwok
I am looking for a PAM module that can use OpenID to do the authentication. My idea is that I want to logon my Linux box using my gmail account and password. I found there is a open source projectin Google Code which seems to be doing the things I want but I don't see any code available for download.
我正在寻找可以使用 OpenID 进行身份验证的 PAM 模块。我的想法是我想使用我的 gmail 帐户和密码登录我的 Linux 机器。我发现Google Code 中有一个开源项目,它似乎在做我想做的事情,但我没有看到任何可供下载的代码。
I saw there are so many examples or implementations but they are all about web apps. Is there any non-web based OpenID applications in the world? Is it technically possible to make a non-web based OpenID application? I naively think that it should be possible. I can emulate whatever packets the browser send out to the OpenID provider and get back the result. As long as my Linux box is connected to the Internet, I should be able to use my OpenID to login.
我看到有很多示例或实现,但它们都是关于 Web 应用程序的。世界上有没有基于 Web 的 OpenID 应用程序?从技术上讲,是否可以制作非基于 Web 的 OpenID 应用程序?我天真地认为这应该是可能的。我可以模拟浏览器发送给 OpenID 提供程序的任何数据包并取回结果。只要我的 Linux box 连接到 Internet,我应该可以使用我的 OpenID 登录。
Appreciate any comments, suggestions or pointers on how to make an OpenID PAM module.
感谢有关如何制作 OpenID PAM 模块的任何意见、建议或指示。
Thanks!
谢谢!
采纳答案by Dr I
I may misundertood the request, but Google (for exemple) provide a way to allow Client side and installed application to authenticate throught Google's API using OpenAUTH 2.0 standards.
我可能误解了该请求,但 Google(例如)提供了一种方法,允许客户端和已安装的应用程序使用 OpenAUTH 2.0 标准通过 Google 的 API 进行身份验证。
As you can see in Using OAuth 2.0 for Installed Applicationsor even more in Using OAuth 2.0 for Devices.
正如您在对已安装的应用程序使用 OAuth 2.0或在对设备使用 OAuth 2.0 中的更多内容中所见。
Yes you're still needed to use browser interaction etc, but, python as well as ASP.NET are able to handle web request and for the Linux part, Gnome too through the WebKitGTK+ tools.
是的,您仍然需要使用浏览器交互等,但是,python 和 ASP.NET 能够处理 Web 请求,对于 Linux 部分,Gnome 也可以通过 WebKitGTK+ 工具处理。
It may be a lead for your research.
它可能是您研究的线索。
Oh and by the way, about WebServices and OpenID etc, the pam module could be write in Python (for WebServer part) and be integrated to Gnome 3.2 easily (Also Python to modificate Gnome-Keyring API), AND in ASP.NET for the windows side.
哦,顺便说一下,关于 WebServices 和 OpenID 等,pam 模块可以用 Python 编写(用于 WebServer 部分)并轻松集成到 Gnome 3.2(也可以用 Python 修改 Gnome-Keyring API),并且在 ASP.NET 中用于窗户边。
But once again, I'm not a specialist of this question, just far interested by. ;-)
但是再一次,我不是这个问题的专家,只是很感兴趣。;-)
回答by Mewp
It's not the issue of the provider trusting the relying party.
这不是提供者信任依赖方的问题。
The problem is in that the user has to trust it.
问题在于用户必须信任它。
There are, however, three other issues:
但是,还有另外三个问题:
- Whatever you do, you can't guarantee your user that your pam module doesn't steal his password.
- Since there's no unified authentication mechanism among providers, you would still need to display an interactive browser window. I don't think that pam modules can be interactive, though.
- The module would have to be a http server in order to be able to receive responses.
- 无论你做什么,你都不能保证你的用户你的 pam 模块不会窃取他的密码。
- 由于提供者之间没有统一的身份验证机制,您仍然需要显示交互式浏览器窗口。不过,我不认为 pam 模块可以是交互式的。
- 该模块必须是一个 http 服务器才能接收响应。
回答by No Substitute
I found this one. JumpCloud
我找到了这个。 跳云
It looks like it could do the trick, if you use LDAP.
如果您使用 LDAP,它似乎可以解决问题。
Ok, the idea of JumpCloud is that they provide the LDAP-to-Google OAUTH connection, so if you setup your system to authenticate through LDAP, but set it to check JumpCloud's LDAP, and not your local system, then you should be able to login using a Google domain account.
好的,JumpCloud 的想法是他们提供 LDAP-to-Google OAUTH 连接,因此如果您将系统设置为通过 LDAP 进行身份验证,但将其设置为检查 JumpCloud 的 LDAP,而不是您的本地系统,那么您应该能够使用 Google 域帐户登录。
