Nicolas Williams wrote: > > On Sun, 20 Aug 2000, Jeffrey Altman <jaltman@columbia.edu> wrote: > > > Ok: I requested to login as scott, but lately entered "fred" > > > as username and fred's password. > > > > > > I think that this situation is also possible with kerberized > > > telnet, _especially_ when PAM concerned: if administrator rejects > > > someone's access to the system (using pam_listfile etc etc), > > > 1st login attempt will fail, and after this login will prompt > > > for a username. But note that if that second username will be > > > not the same as first one, we can have at least strange things > > > with kerberos tickets (yes, if second time login will "fallback" > > > to plain password auth): Fred on remote machine will have access > > > to scott's tickets etc. > > > > This behavior is by design. It allows the user to authenticate to the > > system with their credentials (scott) but login to the account of > > another user after proving knowledge of the user's password. > > > > There is nothing wrong with this. A properly installed telnetd > > supporting the telnet AUTH option will be configured to either allow > > this behavior or not depending on the administrator's preferences. > > There are four levels of acceptable login: > > Yes, but, I think Michael was writing in the context of /bin/login, > PAMified, instead of login.krb5. [sorry me for quoting so big part of discussion -- mjt] Thanks Nicolas. Exactly. Funny things will happen then krb telnetd will think that pamified login was autentificated scott, while it really authentificated fred. And this was an argument for having pamified liblogin used inside telnetd directly, where this sort of stuff will be fully controlled. I don't know if this is bad to have access to scotts tickets as a fred, but at least it is funny enouth to take care of this. Note also that telnetd/login can't just ignore administrator's settings in pam. This is a bad thing (tm?). [] [Kerberos tickets, shared memory, /tmp files] I does not know about kerberos at all, sorry me. I see to this from other perspective, not from "inside" kerberos. I'm not a kerberos developer, and not a subscriber to krbdev. I just noted what was in mind about subject. But thanks god that krbdev list accepts postings from non-members (that I can't say about pam-list, isn't it? -- I see only messages from Nicolas here) and thanks Nicolas -- I was very glad to see this "cross-list" discussion, and to see that people (tries to) cooperates together. Thanks! Regards, Michael.
