[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: redhat kerberos PAM
>>>>> "Joel" == Joel Kociolek <email@example.com> writes:
Joel> I wouldn't say that I know of a decent one. I'm to much
Joel> inexperienced with this, and from what I've understood, it
Joel> could be really "indecent" to use PAM with kerberos. But
I think using PAM is OK for login sessions. eg xdm,text mode console,
etc. That way the user doesn't need to have a Unix-style password.
Joel> I've managed to make Franck Cusack's PAM module work with
Joel> heimdal with only a small patch. You can find the module on
Joel> http://www.fcusack.com/ and my patch on
If I was to package a PAM module for Debian Linux, which one should I
use? Or should I wait until one is included with Heimdal?
Nicolas> There's a PAM_KRB5 somewhere in the heimdal site.
Nicolas> It looks pretty good, except for one serious, easily
Nicolas> fixable problem: the krb5 password validation function is
Nicolas> called without a valid prompter function, so the krb5
Nicolas> library is allowed to believe that the user can be
Nicolas> prompted via the tty.
Nicolas> The solution to this problem is simple: add a krb5
Nicolas> prompter function whose prompter_data is a PAM handle and
Nicolas> have this prompter convert krb5 prompts to PAM prompts
Nicolas> and so on.
Nicolas> That said, this is the ONLY PAM_KRB5 module I have seen
Nicolas> so far that gets password-aging right, namely by
Nicolas> attempting to get an initial ticket to the password
Nicolas> changing service so as to change the user's password and
Nicolas> then get a TGT for the user.
Is this going to be fixed by the author/maintainer?
Jacques> I just committed a pam_krb5 port (based on fcusack's
Jacques> pam_krb5 also) for FreeBSD that can be compiled for
Jacques> either MIT or Heimdal. One can look at the patches at
Jacques> Looking at your patches it looks as if I may have missed
Jacques> a bit with the password change -- no surprise, I haven't
Jacques> really tested that, do to the fact that my users don't
Jacques> appear in /etc/passwd normally.
Or is this the URL here?
Brian May <firstname.lastname@example.org>