[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pam_krb5+Debian's login+telnet breaks!
On Mon, Nov 20, 2000 at 09:37:27AM +1100, Brian May wrote:
> >>>>> "Johan" == Johan Danielsson <joda@pdc.kth.se> writes:
>
> Johan> If it requires some authentication it should probably ask
> Johan> for a password even with -f, no? Can't say I know how PAM's
> Johan> supposed to work.
>
> My guess is that login is somehow passing the -f flag to the PAM
> module. pam_krb5 doesn't understand this and fails the
> authentication. pam_unix does understand this, and allows the user to
> login without authenticating again.
-f should be handled like so: don't call pam_authenticate().
Actually, IIRC, though Sun's /bin/login does that, Sun's implementation
of Krb5 has a telnetd/login.krb5/pam_krb5 combination and its login.krb5
uses a PAM servive name like 'ktelnet' and the PAM config for that looks
like:
ktelnet auth sufficient pam_krb5 acceptor
where 'acceptor' means return PAM_SUCCESS in pam_krb5:pam_sm_authenticate().
See http://docs.sun.com, search for SEAM.
> Not that this really makes sense, but its ties up with what I have
> observed.
> --
> Brian May <bam@snoopy.apana.org.au>
Nico
--