ftpd and AFS tickets
Sam Hartman
hartmans at MIT.EDU
Tue Apr 23 13:45:40 EDT 2002
>>>>> "Ken" == Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:
>> Currently I'm using SSH with GSSAPI and pam_krb5 support. In
>> /etc/profile (and/or pam config for ssh) I'm getting the AFS
>> token, so it's possible to use AFS as home when doing
>> interactive logins with SSH.
Ken> But if you're doing GSSAPI, then pam is never being invoked,
Ken> right? Are users typing cleartext passwords inside of ssh?
No, the setcred, account and session steps still get called.
I have a PAM module that calls aklog -setpag for the Debian AFS stuff.
IT avoids me having to have Kerberos depend on AFS.
Unfortunately MIT's ftpd and login.krb5 are not PAM aware. We've
received a patch to add this support; the author of the patch was
given commit access, but hasn't gotten around to integrating changes.
More information about the Kerberos
mailing list