On Thu, Aug 28, 2003 at 12:20:00AM +0100, Jim Potter wrote: > I wrote this PAM authentication module. It authenticates users based > on them already being authenticated to a samba server process on the > same machine (doesn't refer to password at all). An older version is > on sourceforge, but I can't work out the cvs thing, so here it is if > you're intrerested. I've used it successfully on debian 3.0. It needs > libtdb, libtdb-dev. and you may need to change the reference to your > session database (/var/run/samba/sessionid.tdb on mine - I think this > is unusual). > to build and install: > gcc -c fPIC pam_smb_sso.c > ld -x --shared -ltdb -o pam_smb_sso.so pam_smb_sso.o > cp pam_smb_sso.so /lib/security > I've used it on proftp and it worked. I reckon there's a few issues to > do with security and possibly network load if you haven't got a good > name service whatnot in place (ie resorting to broadcasts to locate > station names). Yes; please be aware that the hostname is not guaranteed to uniquely identify a session in the Samba sessionid.tdb, as there may be more than one login associated with a single IP address. In particular, this module would represent a security hole when coupled with a Windows terminal server, a multiuser Unix machine, or a NATted firewall. While certainly easier than rolling out completely GSSAPI-enabled services, I wouldn't recommend this security model as an SSO solution. Regards, -- Steve Langasek postmodern programmer
Attachment:
pgp00103.pgp
Description: PGP signature
