[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Kerberos and PAM query

Ted, I guess this one is especially for you...

Having pamized a few apps (imapd/popd and xlockmore), I was going to
go on to work on the apps in NetKit like rsh/rshd.  I noticed that
there are, not surprisingly, kerberos defines in rsh as well as rshd.
Since pam is supposed to map nicely to kerberos, how do I modify rsh
correctly?  Presumably, lots of client-side apps that would otherwise
need no pamification need to be pamified if they are going to work
with kerberos, right?

One way that seems like it *might* make sense is this (lacking error
checking code...).  First, unless kerberos is in place, config lines
for the rsh service (as opposed to the rshd service!) all call
pam_allow.so so that they just succeed by default.  They would be
replaced by pam_kerb*.so on a system that needs to access kerberized
sites, I imagine.  Possibly there would be different kerberos modules
for server-side services and client-side services; Ted?

In any case, with that situation in place, I imagine code something
like this (assume reasonable arguments and error handling):
pam_start();
if (pam_setcred(pamh, PAM_CRED_REFRESH) != PAM_SUCCESS) {
  pam_authenticate();
  pam_acct_mgmt();
  pam_setcred(pamh, PAM_CRED_ESTABLISH)
}
pam_end();
(it doesn't seem to me that rsh should be doing any session management).

Obviously, rshd would have more normal pa-using code, similar to what
login does.

Does that make sense?  If not, could you explain how this ought to work
in some detail?

Thanks!

michaelkjohnson

"Ever wonder why the SAME PEOPLE make up ALL the conspiracy theories?"
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []