PAM - the right solution to the wrong problem
I've written briefly twice before about why PAM makes me uncomfortable. In essence, I worry about the conflation of the environment in which authentication takes place and the environment which requires the authentication. This wasn't as much of a problem back when authentication was a simple matter of calling getpwent and crypt, which is how we got into this situation. The BSD Auth framework looks a lot more promising.
However, more recently I tried to work from home. Getting a SOCKS tunnel into the office was the easy bit: the trickier problem was having various programs use the tunnel just for accessing the office, not for anything else. Some, such as Thunderbird, have to use SOCKS for everything or nothing, and even programs that are more selective each need configuring individually.
More generally, every program has to specifically include support for SOCKS, TLS, IPv6 etc. Many don't have it.
What's needed, I feel, is a framework like PAM for establishing network connections. Something to which I can say "Anything trying to connect to *.where-i-work.com for any purpose should use SOCKS through a private unix-domain socket, both for the connection and for name lookup. If the socket isn't there, this is the command to make it." and countless variants on the theme. Something that, once configured, would be honoured by firefox, thunderbird, svn, ssh and so on. Something that could have a combination of site-wide, system-wide and per-user configuration.
Except, of course, that if such a system existed it would be natural to create a tunneling protocol for it, which could be a lot more powerful than SOCKS currently is.
I wonder how hard it would be to make a good job of, and how widely accepted it might become…
However, more recently I tried to work from home. Getting a SOCKS tunnel into the office was the easy bit: the trickier problem was having various programs use the tunnel just for accessing the office, not for anything else. Some, such as Thunderbird, have to use SOCKS for everything or nothing, and even programs that are more selective each need configuring individually.
More generally, every program has to specifically include support for SOCKS, TLS, IPv6 etc. Many don't have it.
What's needed, I feel, is a framework like PAM for establishing network connections. Something to which I can say "Anything trying to connect to *.where-i-work.com for any purpose should use SOCKS through a private unix-domain socket, both for the connection and for name lookup. If the socket isn't there, this is the command to make it." and countless variants on the theme. Something that, once configured, would be honoured by firefox, thunderbird, svn, ssh and so on. Something that could have a combination of site-wide, system-wide and per-user configuration.
Except, of course, that if such a system existed it would be natural to create a tunneling protocol for it, which could be a lot more powerful than SOCKS currently is.
I wonder how hard it would be to make a good job of, and how widely accepted it might become…