[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Debian /bin/login and heimdal kerberos



On 15 Jul, Brian A May wrote:
+-----
|  On Mon, Jul 12, 1999 at 02:57:10PM +0200, Wichert Akkerman wrote:
|  > I wonder if what you did can also be implemented using a PAM module?
|  
|  I think PAM should be sufficient for the purpose of /bin/login, which
|  is very similar to the standard login. ie the only difference is that
|  it uses your password to obtain a Kerberos ticket, which must be saved
|  somewhere. It should also set the environment variable KRB5CCNAME to
+--->8

One notable difference:  you can't implement login of root instances
(as provided in kth-krb; dunno about heimdal) via PAM.  Or at least
I've been completely unsuccessful in convincing login to grant a uid of
0, because it's login and not PAM that makes that decision.  (IMHO that
should be part of the PAM account stuff, but the PAM spec disagrees so
I guess I'd have to petition Sun to get it changed....)

|  configurable by the user). Can PAM do this?
+--->8

Yes, just do it in the PAM module's session close code.  Look up the
pam_linux_afs module, which manages AFS tokens (related to Kerberos
tickets); it's a good and relatively simple example of how to deal with
network authentication tokens.

|  However, I don't know if PAM can transparently support authentication
|  by kerberos tickets instead of supplying a password. Such support would
+--->8

Not directly (that is, it can't read the ticket itself), because
current protocols don't support it; that's normally handled by telnetd
or rlogind, which then invokes "login -f user".  But then, IIRC that's
how we got started on this topic, isn't it?

You would have to define a new Kerberized telnet protocol to accomplish
this, with telnetd and login's PAM invocation somehow interacting, if
you want to *replace* the password prompt with a ticket exchange.

An alternative would be a PAM module which checks for existence of a
valid ticket (stored by telnetd) in the ticket cache which matches the
specified user and authenticates the user based on that, bypassing the
password check.  This might have issues with pre-existing ticket files
if non-root can run /bin/login, but I think (and hope) that usage is
deprecated.

-- 
brandon s. allbery	   os/2,linux,solaris,perl	allbery@kf8nh.apk.net
system administrator	    kth-krb,heimdal,gnome	  allbery@ece.cmu.edu
carnegie mellon / electrical and computer engineering			kf8nh
    We are Linux. Resistance is an indication that you missed the point.