[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pam_krb5 (was: Heimdal, OpenAFS and Linux PAM)

This (my followup) was meant to be on-list.  Forwarded with permission
in case it's useful.

By the way, if people are running Kerberized telnet on a PAM-ified
system, be aware that the Heimdal login program doesn't have PAM
support, so that there can be a hole in access control you think
you've imposed with PAM.  If you use the system login (which needs to
support the right args) instead, you probably don't get
ticket-forwarding.  I don't think MIT has PAM support either.

> different versions of pam_krb5 recently, and there was a version from
> CVS at Redhat which appeared to have significant changes from the
> version in Fedora 4 and Debian unstable, though it was difficult to

Do you mean this: :pserver:anoncvs@rhlinux.redhat.com:/usr/local/CVS. It
is what I currently use and its last updates are from 19.12.2005, so it's
obviously under active development - which cannot be said of many other
pam_krb5 modules.

This module is actually pretty good. It builds it own libkafs.so, so it's
not quite ideal, but on the other hand not depending on Heimdal libraries
is good for interoperability. The problem with it is that it is
monolithic: it does both Heimdal/MIT and AFS and has a broken krb5.conf
parser and so forth. But these limitations can be lived with.

The OpenAFS guys are planning to implement their own pam module which
would work with all Kerboros implementations and require only OpenAFS
libraries. That sounds like the right way to go to me.

In the meantime, we need to hack something together. The above module is
the best I've come up with. Another one might be to use something called
pam_afs2.so (found it somewhere): it is useful since it can execute
arbitrary scripts or binaries (including Heimdal pagsh and afslog). It
still requires a working pam_krb5 in front of it. I just wonder why the
Heimdal people do not provide their own pam_krb5heimdal.so... That would
sound like the right way to go until there is a pam_krb5.so, which works
with and krb5 implementation and does not have a numerous library
dependancies and exhibit the monolithic dinosaur disease =) the RedHat
version does.

> Does anyone have a recommendation for the best source of pam_krb5
> currently, particularly one that's portable?

You probably meant to ask the list this. You never sent it to the list. =)


                | Juha Jykk, juolja@utu.fi			|
		| Laboratory of Theoretical Physics		|
		| Department of Physics, University of Turku	|
                | home: http://www.utu.fi/~juolja/              |