[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: API differences between Heimdal and MIT



> Then I'd suggest that the bug is in the PAM module: it should drop root
> privileges before calling krb5_userok(), and regain the privileges
> afterward. Maybe it should be documented in the krb5_userok() man page

I don't see how this would help since the PAM module has not (and can not
have) acquired the AFS tokens at this point. Hence the user would be
denied access as well. Indeed, in my xscreensaver scenario with expired
tokens, everything runs as the user - all the time.

Besides I think it's not pam_krb5's task to obtain AFS tokens in the first
place.

> with the privileges of the intended user. I think the current Heimdal
> behavior is desirable; if .k5login is unreadable for _any_ reason then
> there is a problem somewhere and the system should fail to the safe side
> by blocking such an user.

I understand your view, but cannot agree. If match_local_principals()
succeeds I think there is no reason to block the user just because
.k5login is *inaccesible* (if it's empty, but readable, I agree: block the
user). The file can be inaccessible for various reasons, one being that
there is a temporary network failure between the file server and the host
the user is logging into. It's not a big deal if your $HOME is unavailable
for a couple of minutes, but it will generate lots of extra helpdesk calls
if this disables logins.

-Juha

-- 
                 -----------------------------------------------
                | Juha Jäykkä, juolja@utu.fi			|
		| Laboratory of Theoretical Physics		|
		| Department of Physics, University of Turku	|
                | home: http://www.utu.fi/~juolja/              |
                 -----------------------------------------------

PGP signature