I've read with interest the discussion of Kerberos & PAM on the list. Very fascinating indeed... I've a few questions. We're deploying an MITKerberos/LDAP domain for our Unix machines, and all is going well - I'm packaging up the relevant libraries and such for Solaris 7, and using the builtin modules on Solaris 8 and RedHat... I have a working Kerberos 5 module for Solaris 7 (It's Frank Cusack's module) and I was making some changes so it could deal with OpenSSH/Kerberos combinations (where OpenSSH has already done the authentication via Kerberos, and the TGT has been passes - I just wanted the session/account portions to work... (Is there a better module? The module I use must compile against Stock Solaris 7 with the MIT Kerberos v1.2.1 libraries - I can't deploy linux-pam on Solaris, for political reasons). Things were going reasonably well, until I started to get interested in the whole thing - what gets called with what uid at what time, so I added lots of syslog calls in, at which point the module broke - "/dev/console owned by root but utmp says <login>". (This would have been fine, except that BT then decided to hang up the phone line, so the terminal I had open onto the window closed, and I'm now locked out of the machine until Monday <sigh>). So, what's the best way to log from inside a PAM module? The other question I had is that the Unix credentials (uid, gid, supplementary groups) aren't set by PAM modules - why is that? Also, is there a diagram of the PAM process for a "typical" root-priveliged and non-root priveliged daemon who's accepting logins, both with and without authentication? And a list of how common apps on Solaris & Linux don't obey that? (e.g. Stock SSH doesn't work well with the pam_krb5 module, but OpenSSH does. At the same time, OpenSSH appears to call pam_sm_setcred(DELETE) *twice*, once before opening a session, once after.... <sigh>. Why?) Some basic PAM programming introductions, basically. Regards, Phil +----------------------------------+ | Phil Mayers, Network Support | | Centre for Computing Services | | Imperial College | +----------------------------------+
