[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kerberos tickets and one time passwords



2003-02-28, p keltezéssel Andreas Haupt ezt írta:
> On Fri, 28 Feb 2003, Onime Clement wrote:
> 
> > Another idea is to use PAM, if your system supports it! then you won't
> > even have to modify login/telnetd. A pam session module could run kinit
> > and then afslog or aklog only after the one time password is accepted.
> 
> Thank you for that tip! I did not know about an existing pam module for
> s/key.
> 
> Do you know such a pam module, that can start user defined programs? Our
> kerberos5 pam module (written by Nalin Dahyabhai) does not seem to be able
> to request initial tickets when taking the key from a keytab.

pam_krb5 never supported the user authentication with keytabs.
The keytab option is for tgt validation. You can check the requested tgt
was spoofed or not. The keytab can contains a
host/hostname.org@YOUR.DOMAIN host principal and pam_krb5
can check the requested tgt with krb5_verify_init_creds.

balsa

p.s: Unfortunately tgt validation is broken in pam_krb5-heimdal-1.3-rc6,
use pam_krb5_snap-2003.02.23.