[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kerberos tickets and one time passwords

To: Onime Clement <onime@ictp.trieste.it>
Subject: Re: Kerberos tickets and one time passwords
From: Andreas Haupt <ahaupt@ifh.de>
Date: Fri, 28 Feb 2003 14:31:50 +0100 (MET)
cc: heimdal-discuss@sics.se
In-Reply-To: <Pine.LNX.4.44.0302281054320.20635-100000@scs-onime.ictp.trieste.it>
References: <Pine.LNX.4.44.0302281054320.20635-100000@scs-onime.ictp.trieste.it>
Sender: owner-heimdal-discuss@sics.se

On Fri, 28 Feb 2003, Onime Clement wrote:

> Another idea is to use PAM, if your system supports it! then you won't
> even have to modify login/telnetd. A pam session module could run kinit
> and then afslog or aklog only after the one time password is accepted.

Thank you for that tip! I did not know about an existing pam module for
s/key.

Do you know such a pam module, that can start user defined programs? Our
kerberos5 pam module (written by Nalin Dahyabhai) does not seem to be able
to request initial tickets when taking the key from a keytab.

Here's the log of a try:

---snip---
Feb 28 14:21:29 fama login: got username ahaupt
Feb 28 14:21:29 fama login: got challenge s/key 94 fa35833 for ahaupt
Feb 28 14:21:45 fama login: pam_krb5afs: get_config() called
Feb 28 14:21:45 fama login: pam_krb5afs: Creating a ticket with addresses
Feb 28 14:21:45 fama login: pam_krb5afs: krb4_convert true
Feb 28 14:21:45 fama login: pam_krb5afs: native_krb4_tgt false
Feb 28 14:21:45 fama login: pam_krb5afs: will afslog to cells `ifh.de'
Feb 28 14:21:45 fama login: pam_krb5afs: will afslog to cell `ifh.de'
Feb 28 14:21:45 fama login: pam_krb5afs: password-changing banner set to
`Kerberos 5'
Feb 28 14:21:45 fama login: pam_krb5afs: ccache directory set to `/tmp'
Feb 28 14:21:45 fama login: pam_krb5afs: making tickets forwardable
Feb 28 14:21:45 fama login: pam_krb5afs: keytab file name set to
`/etc/keytab.ahaupt'
Feb 28 14:21:45 fama login: pam_krb5afs: setting heimdal kdc timeout to 3
Feb 28 14:21:45 fama login: pam_krb5afs: will only attempt to authenticate
users when UID >= 0
Feb 28 14:21:45 fama login: pam_krb5afs: making tickets proxiable
Feb 28 14:21:45 fama login: pam_krb5afs: setting renewable lifetime to
1209600
Feb 28 14:21:45 fama login: pam_krb5afs: required_tgs set to `host/fama'
Feb 28 14:21:45 fama login: pam_krb5afs: setting ticket lifetime to 90000
Feb 28 14:21:45 fama login: pam_krb5afs: use_authtok false
Feb 28 14:21:45 fama login: pam_krb5afs: user_check true
Feb 28 14:21:45 fama login: pam_krb5afs: validate false
Feb 28 14:21:45 fama login: pam_krb5afs: warn_period 604800
Feb 28 14:21:45 fama login: pam_krb5afs: pam_sm_authenticate() called (prc
= Success)
Feb 28 14:21:45 fama login: pam_krb5afs: default Kerberos realm is
`IFH.DE'
Feb 28 14:21:45 fama login: pam_krb5afs: pam_get_user returned `ahaupt'
Feb 28 14:21:45 fama login: pam_krb5afs: user is `ahaupt'
Feb 28 14:21:45 fama login: pam_krb5afs: `ahaupt' has uid 9132, gid 203
Feb 28 14:21:45 fama login: pam_krb5afs: attempting to authenticate
`ahaupt'
Feb 28 14:21:45 fama login: pam_krb5afs: get_int_tkt returned Unknown
error -1765328353
---snap---

BTW: Nice error message ;-)

Thanks in advance
Andreas

-- 
Andreas Haupt         E-Mail: ahaupt@ifh.de
 DESY Zeuthen
 Platanenallee 6
 15738 Zeuthen

Follow-Ups:
- Re: Kerberos tickets and one time passwords
  - From: Balazs GAL <balsa@rit.bme.hu>

References:
- Re: Kerberos tickets and one time passwords
  - From: Onime Clement <onime@ictp.trieste.it>

Prev by Date: Re: Kerberos tickets and one time passwords
Next by Date: Re: Kerberos tickets and one time passwords
Prev by thread: Re: Kerberos tickets and one time passwords
Next by thread: Re: Kerberos tickets and one time passwords
Index(es):
- Date
- Thread