[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

pamifying kerberos servers

From: Bob Smart <smart hpc CSIRO AU>
To: pam-list redhat com
Subject: pamifying kerberos servers
Date: Mon, 07 May 2001 14:15:32 +1000

It is important to distinguish:

                           kerberized telnet
GOOD:    user-workstation ------------------- remote-service
       {windows AD login                    {password-free login
        or unix kinit;                       using kerberos token}
        kerberos telnet}

                            standard telnet
BAD:     user-workstation ------------------- remote-service
        {local login only;                  {pam_krb5
         standard telnet}                    authentication}

Both use kerberos to do the authentication. However the pam_krb5
solution involves the user's kerberos password crossing the net 
in the clear. Of course there are many cases where this is ok:
secure LAN, encrypted IPSEC link, etc. However we would like to
move to the real kerberos solution where passwords are only used
locally.

The problem is that the kerberos servers (such as kshd and 
replacements for telnetd and ftpd) are I think not PAMified, 
so installing kerberos can be a backward step in server 
functionality. Is anyone working on this?

Bob

Follow-Ups:
- Re: pamifying kerberos servers
  - From: Nicolas Williams <Nicolas.Williams@ubsw.com>
- Re: pamifying kerberos servers
  - From: Sam Hartman <hartmans@MIT.EDU>

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index] []