On Fri, Feb 15, 2002 at 05:43:07PM +0000, Illtud Daniel wrote: > > Implementing PAM would give us (instantly) LDAP, Kerberos, NIS[+], > RADIUS, TACACS+, Netware, s/key etc... or at least it would on > sane platforms. Is there a PAM implementation on win32?
I completely agree that this would be the way to go, but I am not aware of a Windows PAM implementation. That's why I think it would be a lot of work (unless you only needed it on a Unix platform). One way you can get PAM for a VNC connection today is by tunneling over SSH and using OpenSSH's PAM authentication. I've played with this a little bit. If you disallow unencrypted direct VNC connections and turn off VNC authentication, then a properly configured client can use whatever SSH authentication mechanism you want and then transparently launch VNC without an additional password. You have to be careful with this in multiuser configurations, however. If you are using VNC over forwarded ports and have VNC not requiring passwords, then you need limits on which users are allowed to forward to which ports. A more secure system might be to use OpenSSH's subsystem functionality to run VNC directly over an SSH channel without the TCP forwarding layer, but this only works with SSH2, not SSH1 (and there is no free Java implementation of SSH2 at this time). Getting back to the original question (LDAP auth for VNC), I hear that LDAP support is planned in the near future for the recently released TridiaVNC Pro (a commercial product). -- Mike Ossmann, Tarantella/UNIX Engineer/Instructor Alternative Technology, Inc. http://www.alttech.com/ --------------------------------------------------------------------- To unsubscribe, mail [EMAIL PROTECTED] with the line: 'unsubscribe vnc-list' in the message BODY See also: http://www.uk.research.att.com/vnc/intouch.html ---------------------------------------------------------------------
