[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pam_krb5 with PKINIT from Heimdal and MIT

To: Jeffrey Hutzelman <jhutz@cmu.edu>
Subject: Re: pam_krb5 with PKINIT from Heimdal and MIT
From: "Douglas E. Engert" <deengert@anl.gov>
Date: Fri, 13 Oct 2006 13:38:13 -0500
Cc: Nicolas Williams <Nicolas.Williams@sun.com>, Björn Torkelsson <torkel@hpc2n.umu.se>, Russ Allbery <rra@stanford.edu>, heimdal-discuss@sics.se, "'krbdev@mit.edu'" <krbdev@mit.edu>, Matthijs Mohlmann <matthijs@cacholong.nl>, Nalin Dahyabhai <nalin@redhat.com>, Kevin Coffman <kwc@citi.umich.edu>, Jim Rees <rees@citi.umich.edu>
In-Reply-To: <100A74179664B7B11EB8AFBA@sirius.fac.cs.cmu.edu>
References: <20061003.173359.94351658.haba@habarber.pdc.kth.se> <20061003133404.223b2985.mba2000@ioplex.com> <4523D4FB.6010000@anl.gov> <1160033063.22711.6.camel@monsun.hpc2n.umu.se> <452551E7.7010009@anl.gov> <873ba2siou.fsf@windlord.stanford.edu> <45255B9A.7060106@anl.gov> <877izefgjx.fsf@windlord.stanford.edu> <452687DF.20004@anl.gov> <20061012201242.GC7647@redhat.com> <20061012211305.GL12284@binky.Central.Sun.COM> <452FA812.9030701@anl.gov> <100A74179664B7B11EB8AFBA@sirius.fac.cs.cmu.edu>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060414

Jeffrey Hutzelman wrote:
> 
> 
> On Friday, October 13, 2006 09:52:02 AM -0500 "Douglas E. Engert" 
> <deengert@anl.gov> wrote:
> 
>> The way PAM works today i.e. get a username and password
>> then call all the pam routines one at a time with the same password
> 
> 
> That's not how PAM works.  It is up to individual PAM modules to request 
> that the application prompt the user for a username, password, or other 
> data.  The framework provides a mechanism (the PAM_USER and PAM_AUTHTOK 
> items) for caching and reusing the previously-entered username and/or 
> password when appropriate, but it is up to individual modules to decide 
> when to do this.  For many modules, this behavior is controlled by the 
> pam_first_pass and pam_try_first options.

I understand that it can be done the other way. Its just that in most
distributions its done with using the same authtok. Solaris 10 goes so far
as to use pam_authtok.so to prompt for "Password:" before any of the
individual modules do.

It practice, even on non-Solaris systems, what the user sees is "Password:"
and has no idea which password this is referring too. Multiple
"Password:" prompts could be a failed first password, with try_first_pass
and a second chance, or a second pam module prompting.

We have seen on some systems where Kerberos can be used, but the user uses
the local password that the Kerberos is tried first, and the W2K3
KDC logs a failure, and can turn off an account.

The pam_krb5-2.4 for example will use "Password: " and will
do pam_set_item(ctx->pamh, authtok, pass); just in case it is not the Kerberos
password.

What I am asking is the vendors like, RedHat, Sun, Debian to look at these
other pam issues while looking at the pam_krb5 and Kerberos pre-auth and change
the default behavior such that it is obvious to the user what "Password:" is being
requested, as well as recognize that smart card readers with pin pads
can't use the "Password:" prompt.

> 
> -- Jeff
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

References:
- The state of the heimdal project
  - From: Harald Barth <haba@pdc.kth.se>
- Re: The state of the heimdal project
  - From: Michael B Allen <mba2000@ioplex.com>
- Re: The state of the heimdal project
  - From: "Douglas E. Engert" <deengert@anl.gov>
- Re: The state of the heimdal project
  - From: Björn Torkelsson <torkel@hpc2n.umu.se>
- Re: The state of the heimdal project
  - From: "Douglas E. Engert" <deengert@anl.gov>
- Re: The state of the heimdal project
  - From: Russ Allbery <rra@stanford.edu>
- pam_krb5 with PKINIT from Heimdal and MIT
  - From: "Douglas E. Engert" <deengert@anl.gov>
- Re: pam_krb5 with PKINIT from Heimdal and MIT
  - From: Nalin Dahyabhai <nalin@redhat.com>
- Re: pam_krb5 with PKINIT from Heimdal and MIT
  - From: Nicolas Williams <Nicolas.Williams@sun.com>
- Re: pam_krb5 with PKINIT from Heimdal and MIT
  - From: "Douglas E. Engert" <deengert@anl.gov>

Prev by Date: Re: pam_krb5 with PKINIT from Heimdal and MIT
Next by Date: Re: pam_krb5 with PKINIT from Heimdal and MIT
Prev by thread: Re: pam_krb5 with PKINIT from Heimdal and MIT
Next by thread: Re: The state of the heimdal project
Index(es):
- Date
- Thread