[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Debian /bin/login and heimdal kerberos



On Mon, Jul 12, 1999 at 02:57:10PM +0200, Wichert Akkerman wrote:
> I wonder if what you did can also be implemented using a PAM module?
> That seems to fix most of the problems you mentioned here, since it
> moves the responsiblity for these tasks from login to the different PAM
> modules.
> 
> It would also mean the code can be used in much more places then just
> login.

I have to admit, I don't really understand how PAM works.

I think PAM should be sufficient for the purpose of /bin/login, which
is very similar to the standard login. ie the only difference is that
it uses your password to obtain a Kerberos ticket, which must be saved
somewhere. It should also set the environment variable KRB5CCNAME to
indicate where the ticket is. Also, it should be able to delete the
ticket on logout (although some people have said that this should be
configurable by the user). Can PAM do this?

However, I don't know if PAM can transparently support authentication
by kerberos tickets instead of supplying a password. Such support would
require
1. kerberos ticket and authenticator be transmitted instead of the
password, and some message should be sent back to the client.
2. some means of the server (assuming it is a client/server application)
can contact the client to verify to the client that the server is not a fake
(optional).
3. Encryption (optional).

Whether 2 and 3 are required depend on the application.

Please ferel free to correct any errors I may have made in the above ;-)

-- 
Brian May <bmay@csse.monash.edu.au>