ftpd and AFS tickets
Steve Langasek
vorlon at dodds.net
Tue Apr 23 14:05:27 EDT 2002
On Tue, Apr 23, 2002 at 01:58:50PM -0400, Nick M. Williams wrote:
>
> Simon's patches for OpenSSH use PAM. I believe the Solaris telnetd and
> friends do as well, yes, even with kerberos-authenticated clients. The
> key is to either not bother calling pam_authenticate() (the user *is*
> authenticated already) or call it but use a PAM_SERVICE name configured
> to just return PAM_SUCCESS immediately from pam_authenticate().
> And the point of this is that kerberized network daemons can use
> pam_setcred() to share a clients' credentials with interested
> modules, such as AFS PAM modules, say. :)
-- So long as they don't use the return value from pam_setcred() in
deciding whether to grant access to a service when the user has already
been authenticated through a mechanism other than PAM.
Steve Langasek
postmodern programmer
More information about the Kerberos
mailing list