[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: pamifying kerberos servers

From: Nicolas Williams <Nicolas Williams ubsw com>
To: pam-list redhat com
Subject: Re: pamifying kerberos servers
Date: Mon, 7 May 2001 14:25:14 -0400

On Mon, May 07, 2001 at 02:15:32PM +1000, Bob Smart wrote:
> The problem is that the kerberos servers (such as kshd and 
> replacements for telnetd and ftpd) are I think not PAMified, 
> so installing kerberos can be a backward step in server 
> functionality. Is anyone working on this?

Only talking...

I've thought some about moving telnetd's -a option handling to
login/PAM, based on a gross thing that Sun's SEAM does :)

Essentially:

 - telnetd execs /bin/login with arguments --pam-service XYZ [<username>]

 - the "telnet" PAM service works as usual

 - the "ktelnet" PAM service has a PAM module that re-creates the ccache
   (if any) containing forwarded creds and/or returns PAM_SUCCESS.

 - telnetd chooses the PAM service according to wether the authenticated
   principal has access to the requested account (krb5_kuserok())


> Bob
> 

Cheers,

Nico
--

References:
- pamifying kerberos servers
  - From: Bob Smart <smart@hpc.CSIRO.AU>

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index] []