[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pam_krb5+Debian's login+telnet breaks!



On Mon, Nov 20, 2000 at 09:37:27AM +1100, Brian May wrote:
> >>>>> "Johan" == Johan Danielsson <joda@pdc.kth.se> writes:
> 
>     Johan> If it requires some authentication it should probably ask
>     Johan> for a password even with -f, no? Can't say I know how PAM's
>     Johan> supposed to work.
> 
> My guess is that login is somehow passing the -f flag to the PAM
> module. pam_krb5 doesn't understand this and fails the
> authentication. pam_unix does understand this, and allows the user to
> login without authenticating again.

-f should be handled like so: don't call pam_authenticate().

Actually, IIRC, though Sun's /bin/login does that, Sun's implementation
of Krb5 has a telnetd/login.krb5/pam_krb5 combination and its login.krb5
uses a PAM servive name like 'ktelnet' and the PAM config for that looks
like:

ktelnet	auth	sufficient	pam_krb5	acceptor

where 'acceptor' means return PAM_SUCCESS in pam_krb5:pam_sm_authenticate().

See http://docs.sun.com, search for SEAM.

> Not that this really makes sense, but its ties up with what I have
> observed.
> -- 
> Brian May <bam@snoopy.apana.org.au>


Nico
--