[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: redhat kerberos PAM

There's a PAM_KRB5 somewhere in the heimdal site.

It looks pretty good, except for one serious, easily fixable problem:
the krb5 password validation function is called without a valid prompter
function, so the krb5 library is allowed to believe that the user can be
prompted via the tty.

The solution to this problem is simple: add a krb5 prompter function
whose prompter_data is a PAM handle and have this prompter convert krb5
prompts to PAM prompts and so on.

That said, this is the ONLY PAM_KRB5 module I have seen so far that gets
password-aging right, namely by attempting to get an initial ticket to
the password changing service so as to change the user's password and
then get a TGT for the user.


On Mon, Nov 06, 2000 at 06:51:08PM +0100, Joel Kociolek wrote:
> On Fri, Nov 03, 2000 at 06:03:04PM +0000, Alex Stepney wrote:
> > 
> > anyone know of a decent kerberos PAM to use for heimdal on RedHat 6.2?
> I wouldn't say that I know of a decent one. I'm to much inexperienced
> with this, and from what I've understood, it could be really "indecent"
> to use PAM with kerberos. But I've managed to make Franck Cusack's PAM
> module work with heimdal with only a small patch. You can find the
> module on http://www.fcusack.com/ and my patch on
> http://ns1.logidee.com/~joko/heimdal/
> I plan to improve my patch to make it includable by Mr Cusack in his PAM
> module, but I don't have time to do this for the moment.
> Joel K.
> -- 
> I want to  argue that an  effective way of  promoting true computer literacy
> would be to make Unix basics part of the curriculum... for everybody.
>    -- Martin Vermeer --          http://linuxtoday.org/stories/1846.html