> Right. Now, what I'm saying is that telnetd can tell PAM, by way of
> /bin/login if need be, that "hey, the user authenticated as
> foo@SOMAREALM.COM with Kerberos and is asking to log in as foo", then
> /bin/login or PAM can check ruid==0, .k5login and so on and forgo any
> further prompting of the user. If the user didn't tell telnetd who he
> wants to log in as, that's ok, PAM will prompt for that, check .k5login
> and then possibly prompt for a password.
>
> To avoid the problem you suggest PAM_KRB5 has to be careful to not
> allow the remote user's TGT to be put in the ccache if the remote user
> ends up logging in to a different local user. The gotcha is that if
> telnetd has to call /bin/login, then telnetd may have to create the
> ccache first, then PAM_KRB5 will have to destroy it.
There is nothing wrong with me logging in as Scott and storing my Fred
credentials in that account.
Jeffrey Altman * Sr.Software Designer
The Kermit Project * Columbia University
612 West 115th St * New York, NY * 10025 * USA
http://www.kermit-project.org/ * kermit-support@kermit-project.org
