[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Behavioural differences in Heimdal and MIT [was: Re: API differencesbetween Heimdal and MIT]

To: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Subject: Re: Behavioural differences in Heimdal and MIT [was: Re: API differencesbetween Heimdal and MIT]
From: "Douglas E. Engert" <deengert@anl.gov>
Date: Wed, 15 Feb 2006 13:02:23 -0600
Cc: Gabor Gombas <gombasg@sztaki.hu>, Buck Huppmann <buckh@pobox.com>, "Juha J." <juhaj@iki.fi>, heimdal-discuss@sics.se
In-Reply-To: <CB2788BF-987B-4401-8B19-3E417CD6ADEC@jpl.nasa.gov>
References: <20060202161753.20c37c47@noether.tfy.utu.fi> <20060202154540.GC23653@boogie.lpds.sztaki.hu> <20060202181813.6789e137@alnitak.stiff.utu.fi> <20060213213951.GA19694@dsl092-173-085.wdc2.dsl.speakeasy.net> <B70BAE77-700D-47A5-8DA7-DAB6E7F6A487@jpl.nasa.gov> <20060215105246.GC20234@boogie.lpds.sztaki.hu> <CB2788BF-987B-4401-8B19-3E417CD6ADEC@jpl.nasa.gov>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915



Henry B. Hotz wrote:

> For the systems that support PAM I'm guessing we should have a  
> no-.k5login pam_krb5 (required*) followed by a pam_ldap (or pam_dbm,  or 
> whatever) that only does authorization, not password checking  (required 
> or sufficient).  pam_afs *should* only be a session module  to get the 
> token and set the PAG, but that may only work on Solaris.
> 

There is a pam_afs2 that uses the newly obtained or forwarded Kerberos 5
ticket of the user to get the token, and set the PAG.

> * A correctly configured ssh will get a forwarded tgt before you get  to 
> the PAM chain.  Anyone know of any pam_ldap's that can be told to  just 
> do authorization, maybe even to use a kerberized bind to do the  lookups?

The kerberized bind should be binding using the host's credentials, not the
yet-to-be-authorized user's credentials.

And providing alternatives to the .k5login for mapping principals to accounts
sounds like a good thing to have, as it could give the local admin better
control over the use of accounts.

> 
> On Feb 15, 2006, at 2:52 AM, Gabor Gombas wrote:
> 
>> On Tue, Feb 14, 2006 at 03:29:57PM -0800, Henry B. Hotz wrote:
>>
>>> The AFS token-not-yet-available issues are just another example of
>>> the same old problem we've always had with getting OS's to deal
>>> properly with AFS.
>>
>>
>> Maybe the proper solution would be to allow different backends (LDAP,
>> RDBMS etc.) for getting the information that is now contained in the
>> .k5login file. That would allow completely avoiding file system access
>> until the authentication/authorization process has finished.
>>
>> I see two possible approaches:
>>
>> 1. Provide a callback that can be used to replace just the reading of
>>    the .k5login file, leaving the content parsing/decision making in
>>    Heimdal, or
>> 2. Moving the decision making completely to the callback. This is more
>>    general but applications may need to implement more logic than with
>>    the first approach.
>>
>> Gabor
>>
>> -- 
>>      ---------------------------------------------------------
>>      MTA SZTAKI Computer and Automation Research Institute
>>                 Hungarian Academy of Sciences
>>      ---------------------------------------------------------
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Follow-Ups:
- Re: Behavioural differences in Heimdal and MIT [was: Re: APIdifferences between Heimdal and MIT]
  - From: Juha =?ISO-8859-15?B?SuR5a2vk?= <juhaj@iki.fi>
- Re: Behavioural differences in Heimdal and MIT [was: Re: API differences between Heimdal and MIT]
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>

References:
- API differences between Heimdal and MIT
  - From: Juha Jäykkä <juhaj@iki.fi>
- Re: API differences between Heimdal and MIT
  - From: Gabor Gombas <gombasg@sztaki.hu>
- Behavioural differences in Heimdal and MIT [was: Re: API differencesbetween Heimdal and MIT]
  - From: Juha =?ISO-8859-15?B?SuR5a2vk?= <juhaj@iki.fi>
- Re: Behavioural differences in Heimdal and MIT [was: Re: API differences between Heimdal and MIT]
  - From: Buck Huppmann <buckh@pobox.com>
- Re: Behavioural differences in Heimdal and MIT [was: Re: API differences between Heimdal and MIT]
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: Behavioural differences in Heimdal and MIT [was: Re: API differences between Heimdal and MIT]
  - From: Gabor Gombas <gombasg@sztaki.hu>
- Re: Behavioural differences in Heimdal and MIT [was: Re: API differences between Heimdal and MIT]
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>

Prev by Date: Re: Behavioural differences in Heimdal and MIT [was: Re: API differences between Heimdal and MIT]
Next by Date: Re: Behavioural differences in Heimdal and MIT [was: Re: APIdifferences between Heimdal and MIT]
Prev by thread: Re: Behavioural differences in Heimdal and MIT [was: Re: API differences between Heimdal and MIT]
Next by thread: Re: Behavioural differences in Heimdal and MIT [was: Re: APIdifferences between Heimdal and MIT]
Index(es):
- Date
- Thread