[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Debian /bin/login and heimdal kerberos
On 15 Jul, Brian A May wrote:
| On Mon, Jul 12, 1999 at 02:57:10PM +0200, Wichert Akkerman wrote:
| > I wonder if what you did can also be implemented using a PAM module?
| I think PAM should be sufficient for the purpose of /bin/login, which
| is very similar to the standard login. ie the only difference is that
| it uses your password to obtain a Kerberos ticket, which must be saved
| somewhere. It should also set the environment variable KRB5CCNAME to
One notable difference: you can't implement login of root instances
(as provided in kth-krb; dunno about heimdal) via PAM. Or at least
I've been completely unsuccessful in convincing login to grant a uid of
0, because it's login and not PAM that makes that decision. (IMHO that
should be part of the PAM account stuff, but the PAM spec disagrees so
I guess I'd have to petition Sun to get it changed....)
| configurable by the user). Can PAM do this?
Yes, just do it in the PAM module's session close code. Look up the
pam_linux_afs module, which manages AFS tokens (related to Kerberos
tickets); it's a good and relatively simple example of how to deal with
network authentication tokens.
| However, I don't know if PAM can transparently support authentication
| by kerberos tickets instead of supplying a password. Such support would
Not directly (that is, it can't read the ticket itself), because
current protocols don't support it; that's normally handled by telnetd
or rlogind, which then invokes "login -f user". But then, IIRC that's
how we got started on this topic, isn't it?
You would have to define a new Kerberized telnet protocol to accomplish
this, with telnetd and login's PAM invocation somehow interacting, if
you want to *replace* the password prompt with a ticket exchange.
An alternative would be a PAM module which checks for existence of a
valid ticket (stored by telnetd) in the ticket cache which matches the
specified user and authenticates the user based on that, bypassing the
password check. This might have issues with pre-existing ticket files
if non-root can run /bin/login, but I think (and hope) that usage is
brandon s. allbery os/2,linux,solaris,perl firstname.lastname@example.org
system administrator kth-krb,heimdal,gnome email@example.com
carnegie mellon / electrical and computer engineering kf8nh
We are Linux. Resistance is an indication that you missed the point.