If you are at all familiar with the UNIX or Linux world, you will know about the Pluggable Authentication Module (PAM) functionality. Essentially, PAM is a highly extensible login framework for authenticating and authorizing a user for access to a server. Prior to PAM, most logins worked directly against the local /etc/passwd database, but with PAM, users are authenticated against the PAM library, which in turns relies on a series of “modules” (surprise!) that return a Yes/No response. On many UNIX and Linux boxes, PAM still relies on /etc/passwd, but it doesn’t have to—and often doesn’t. For example, LDAP is quite often supported for authentication, and this is done by simply adding the right LDAP module to your PAM configuration.
Yawn.
Well, it is all very cool of actually, but it is old news in the UNIX world.
Now, Windows has supported this, kind of, a little bit, with GINA and GINA chaining and what-have-you, but it is really JUST NOT DONE. In addition, the GINA chaining concept is rarely if ever used. (I have heard because of reliability issues.)
However, Vista now supports a new model known as Credential Provider, which is deceptively like… PAM! Well, cool. (And they say Microsoft doesn’t learn!)
Anyway, I suggest you take a look at this as it’s all very nifty stuff:
This is one of the most stupid and misinformed blog posts I've ever read on O'Reilly. Congratulations on making me seriously consider unsubscribing.
Jake, What makes you say that.
Ha, yes, I'm curious myself.. Either he doesn't think PAM does what PAM does or that Credential Provider does what Credential Provider does. ;)
I'd like to know why anyone should care, given Microsoft's long, unbroken record of 100% security incompetence. The 'Credential Provider Samples' doesn't let you download the samples on anything but "genuine Microsoft Windows," and it runs some kind of check first. Too bad if you want to download it on a PC that's safe to connect the Internet- you don't get that option.
The (old) Windows equivalent to PAM is GINA. I believe GINA ( I first heard about the GINA in approximately 93... early 94) even predates PAM (1995). Same rough functionality. It's also not particularly hard to develop a custom GINA, if you so choose.
The GINA is widely used heavily by third parties for stuff such as NIS auth, Sun LDAP auth, Novell, smartcard readers, biometrics, etc, etc, etc. These are used in huge enterprises, they work well.
PAM is neat, but has been less than squeaky clean in the past with quality and security issues.
But anyway, continue on with the blind MS-hating, it's entertaining.