Re: PAM and Kerberos

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Aug 21, 2000 at 10:05:39PM +0400, Michael Tokarev wrote:
> Nicolas Williams wrote:
> > Yes, but, I think Michael was writing in the context of /bin/login,
> > PAMified, instead of login.krb5.
> 
> [sorry me for quoting so big part of discussion -- mjt]
> 
> Thanks Nicolas.  Exactly.  Funny things will happen then krb telnetd will
> think that pamified login was autentificated scott, while
> it really authentificated fred.  And this was an argument for having
> pamified liblogin used inside telnetd directly, where this sort of
> stuff will be fully controlled.  I don't know if this is bad to have
> access to scotts tickets as a fred, but at least it is funny enouth
> to take care of this.

Right. Now, what I'm saying is that telnetd can tell PAM, by way of
/bin/login if need be, that "hey, the user authenticated as
foo@SOMAREALM.COM with Kerberos and is asking to log in as foo", then
/bin/login or PAM can check ruid==0, .k5login and so on and forgo any
further prompting of the user. If the user didn't tell telnetd who he
wants to log in as, that's ok, PAM will prompt for that, check .k5login
and then possibly prompt for a password.

To avoid the problem you suggest PAM_KRB5 has to be careful to not
allow the remote user's TGT to be put in the ccache if the remote user
ends up logging in to a different local user. The gotcha is that if
telnetd has to call /bin/login, then telnetd may have to create the
ccache first, then PAM_KRB5 will have to destroy it.

> Note also that telnetd/login can't just ignore administrator's settings
> in pam.  This is a bad thing (tm?).

Agreed.

> []
> 
> [Kerberos tickets, shared memory, /tmp files]
> I does not know about kerberos at all, sorry me.  I see to this from
> other perspective, not from "inside" kerberos.  I'm not a kerberos
> developer, and not a subscriber to krbdev.  I just noted what was
> in mind about subject.
> 
> But thanks god that krbdev list accepts postings from non-members
> (that I can't say about pam-list, isn't it? -- I see only messages
> from Nicolas here) and thanks Nicolas -- I was very glad to see
> this "cross-list" discussion, and to see that people (tries to)
> cooperates together.

A thread started in krb-dev about this stuff and I thought the pam-list
should be involved as well.

> Thanks!
> 
> Regards,
>  Michael.

Thank you!

Nico
--





[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux