[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kerberising login (mingetty)

To: heimdal-discuss@sics.se
Subject: Re: Kerberising login (mingetty)
From: Brian May <bam@snoopy.apana.org.au>
Date: 23 Nov 2001 12:06:34 +1100
In-Reply-To: <20011120161207.3e8c99db.raul@systrix.com>
References: <20011120161207.3e8c99db.raul@systrix.com>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.4 (Artificial Intelligence)

>>>>> "Raul" == Raul Seemendi <raul@systrix.com> writes:

    Raul> Hi.  I am running debian and I would like to kerberise my
    Raul> login in the linux. What procedures should I follow to do
    Raul> that? I have searched the net and nothing helpful popped
    Raul> out.  I have the heimdal's PAM module. I know that I need to
    Raul> reconfigure pam to authenticate in kerberos, but I am not
    Raul> sure how to do that. Also I have no knowledge what kind of a
    Raul> principals do I need to have in the kerberos server.

PAM configuration is stored in /etc/pam.d/. The files you will most
likely want to edit are login and gdm (assuming you use gdm, otherwise
replace gdm with xdm or whatever else you use).

I have in my auth section (only relevant entries shown):

auth    [success=1 default=ignore]      pam_unix.so
auth    required                        pam_ldap.so try_first_pass
auth    required                        pam_permit.so
auth    optional                        pam_krb5.so try_first_pass

this means it will try authenticating against Unix. If that doesn't
work, it tries LDAP. If one of those works, it then tries to obtain a
Kerberos ticket, but this is marked as optional so it is not required.
This may not be what you want; chances are you don't use LDAP.

If I changed it to (not tested)

auth    [success=1 default=ignore]      pam_unix.so
auth    required                        pam_krb5.so try_first_pass
auth    required                        pam_permit.so

The standard /etc/shadow password checking would occur first, and if
that doesn't work it will try Kerberos.

So... really... it depends on what you want to happen. Do you want it
to try standard Unix password checking if Kerberos doesn't work, or
the other way around? If you only specify pam_krb5.so it won't check
/etc/shadow at all - but this could be a problem if the KDC ever goes
down, and you can't login (not even as root) to fix it.

PAM configuration is very flexible...

Ohhh... if you do change your PAM configuration, make sure you
properly test it. In fact I would highly recommend that you check that
you can still login again as root *before logging out* (from first
hand experience)!

I hope this helps....(?)
-- 
Brian May <bam@snoopy.apana.org.au>

References:
- Kerberising login (mingetty)
  - From: Raul Seemendi <raul@systrix.com>

Prev by Date: Kerberising login (mingetty)
Next by Date: GSSFTP client doesn't follow RFC.
Prev by thread: Kerberising login (mingetty)
Next by thread: GSSFTP client doesn't follow RFC.
Index(es):
- Date
- Thread