Could telnetd create the cache file and keep it open, thus obviating the need for it to know its future file name? Or perhaps an open Unix socket that PAM_KRB5 could use to communicate back to telnetd. If this can be done strictly through PAM and specifying some requirements for /bin/login, then a /bin/login that behaves like Solaris 2.6's (or later) would do fine, provided there's a suitable PAM_KRB5... Another alternative is to suck /bin/login into telnetd. But if this problem can be solved between telnetd and PAM, then there's no need to replace a vendor's /bin/login, provided that /bin/login does the Right Things (tm) with PAM. Nico On Tue, Aug 15, 2000 at 11:51:29AM -0400, Jeffrey Altman wrote: > > I had no idea that telnetd could do this. > > The current one does not, but I am working on one that does (with Ken > Raeburn). > > > This presents a problem though, doesn't it? If /bin/login does all the > > work, then how can telnetd find what name was ultimately given to the > > credentials cache file, or even if login succeed at all? > > Bingo. You have hit the nail on the head. Right now the way things > work is that telnetd creates the credential cache file and passes its > name as an environment variable. /bin/login (the customized version) > changes the ownership of the credential cache file before it executes > the user's shell. > > So /bin/login is not doing all of the work. Just part of it. telnetd > is very well aware of the name of the cache file. It just needs to > switch to the user's account, update the file, and switch back to > 'root'. The problem is that telnetd does not necessarily know the > account the user is logged into. This can be the case when the user > authenticates but does not specify a username to use for login; or if > the username specified is not authorized for the provided credentials. > > > > Jeffrey Altman * Sr.Software Designer > The Kermit Project * Columbia University > 612 West 115th St * New York, NY * 10025 * USA > http://www.kermit-project.org/ * kermit-support@kermit-project.org > --
