[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: redhat kerberos PAM
There's a PAM_KRB5 somewhere in the heimdal site.
It looks pretty good, except for one serious, easily fixable problem:
the krb5 password validation function is called without a valid prompter
function, so the krb5 library is allowed to believe that the user can be
prompted via the tty.
The solution to this problem is simple: add a krb5 prompter function
whose prompter_data is a PAM handle and have this prompter convert krb5
prompts to PAM prompts and so on.
That said, this is the ONLY PAM_KRB5 module I have seen so far that gets
password-aging right, namely by attempting to get an initial ticket to
the password changing service so as to change the user's password and
then get a TGT for the user.
On Mon, Nov 06, 2000 at 06:51:08PM +0100, Joel Kociolek wrote:
> On Fri, Nov 03, 2000 at 06:03:04PM +0000, Alex Stepney wrote:
> > anyone know of a decent kerberos PAM to use for heimdal on RedHat 6.2?
> I wouldn't say that I know of a decent one. I'm to much inexperienced
> with this, and from what I've understood, it could be really "indecent"
> to use PAM with kerberos. But I've managed to make Franck Cusack's PAM
> module work with heimdal with only a small patch. You can find the
> module on http://www.fcusack.com/ and my patch on
> I plan to improve my patch to make it includable by Mr Cusack in his PAM
> module, but I don't have time to do this for the moment.
> Joel K.
> I want to argue that an effective way of promoting true computer literacy
> would be to make Unix basics part of the curriculum... for everybody.
> -- Martin Vermeer -- http://linuxtoday.org/stories/1846.html