[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: redhat kerberos PAM

To: Brian May <bam@snoopy.apana.org.au>
Subject: Re: redhat kerberos PAM
From: Nicolas Williams <Nicolas.Williams@ubsw.com>
Date: Thu, 9 Nov 2000 10:22:55 -0500
Cc: heimdal-discuss@sics.se
In-Reply-To: <84em0mhtul.fsf@snoopy.apana.org.au>; from bam@snoopy.apana.org.au on Thu, Nov 09, 2000 at 11:28:18AM +1100
Mail-Followup-To: Brian May <bam@snoopy.apana.org.au>,heimdal-discuss@sics.se
References: <4.2.2.20001103180059.00acae50@fritz.bluewave.com> <20001106185108.A1332@ola.fr.eu.org> <84em0mhtul.fsf@snoopy.apana.org.au>
Sender: owner-heimdal-discuss@sics.se

On Thu, Nov 09, 2000 at 11:28:18AM +1100, Brian May wrote:
> >>>>> "Joel" == Joel Kociolek <joko@logidee.com> writes:
> 
>     Joel> I wouldn't say that I know of a decent one. I'm to much
>     Joel> inexperienced with this, and from what I've understood, it
>     Joel> could be really "indecent" to use PAM with kerberos. But
> 
> I think using PAM is OK for login sessions. eg xdm,text mode console,
> etc. That way the user doesn't need to have a Unix-style password.

Right. And using PAM with PAM_KRB5 with encrypted sessions (e.g., SSH),
during a transition to using fully kerberized protocols, is also ok.

>     Nicolas> There's a PAM_KRB5 somewhere in the heimdal site.
> 
> Where?

ftp://ftp.it.su.se/pub/kerberos/contrib/source/pam_krb5-1.2.tar.gz

>     Nicolas> It looks pretty good, except for one serious, easily
>     Nicolas> fixable problem: the krb5 password validation function is
>     Nicolas> called without a valid prompter function, so the krb5
>     Nicolas> library is allowed to believe that the user can be
>     Nicolas> prompted via the tty.
> 
>     Nicolas> The solution to this problem is simple: add a krb5
>     Nicolas> prompter function whose prompter_data is a PAM handle and
>     Nicolas> have this prompter convert krb5 prompts to PAM prompts
>     Nicolas> and so on.
> 
>     Nicolas> That said, this is the ONLY PAM_KRB5 module I have seen
>     Nicolas> so far that gets password-aging right, namely by
>     Nicolas> attempting to get an initial ticket to the password
>     Nicolas> changing service so as to change the user's password and
>     Nicolas> then get a TGT for the user.
> 
> Is this going to be fixed by the author/maintainer?

Leif Johansson (leifj@matematik.su.se) is named in the README and can
probably give you a better answer than I :)

I need this module though. And I need it to support password aging
correctly, and only this implementation does that. So I may just fix it
myself, but I can't say when (early 2001 maybe? we'll see).

>     Jacques> I just committed a pam_krb5 port (based on fcusack's
>     Jacques> pam_krb5 also) for FreeBSD that can be compiled for
>     Jacques> either MIT or Heimdal.  One can look at the patches at
>     Jacques> http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/pam_krb5/files
>     Jacques> Looking at your patches it looks as if I may have missed
>     Jacques> a bit with the password change -- no surprise, I haven't
>     Jacques> really tested that, do to the fact that my users don't
>     Jacques> appear in /etc/passwd normally.
> 
> Or is this the URL here?

Dunno. I haven't looked at it.

> -- 
> Brian May <bam@snoopy.apana.org.au>


Nico
--

References:
- redhat kerberos PAM
  - From: Alex Stepney <alex.stepney@bluewave.com>
- Re: redhat kerberos PAM
  - From: Joel Kociolek <joko@logidee.com>
- Re: redhat kerberos PAM
  - From: Brian May <bam@snoopy.apana.org.au>

Prev by Date: Re: kadmin bug (missing mod_name)
Next by Date: Re: redhat kerberos PAM
Prev by thread: Re: redhat kerberos PAM
Next by thread: Re: redhat kerberos PAM
Index(es):
- Date
- Thread