ftpd and AFS tickets

Sam Hartman hartmans at MIT.EDU
Tue Apr 23 13:45:40 EDT 2002


>>>>> "Ken" == Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:

    >> Currently I'm using SSH with GSSAPI and pam_krb5 support.  In
    >> /etc/profile (and/or pam config for ssh) I'm getting the AFS
    >> token, so it's possible to use AFS as home when doing
    >> interactive logins with SSH.

    Ken> But if you're doing GSSAPI, then pam is never being invoked,
    Ken> right?  Are users typing cleartext passwords inside of ssh?

No, the setcred, account and session steps still get called.

I have a PAM module that calls aklog -setpag for the Debian AFS stuff.
IT avoids me having to have Kerberos depend on AFS.

Unfortunately MIT's ftpd and login.krb5 are not PAM aware.  We've
received a patch to add this support; the author of the patch was
given commit access, but hasn't gotten around to integrating changes.



More information about the Kerberos mailing list