ftpd and AFS tickets

Steve Langasek vorlon at dodds.net
Tue Apr 23 14:05:27 EDT 2002


On Tue, Apr 23, 2002 at 01:58:50PM -0400, Nick M. Williams wrote:
> 
> Simon's patches for OpenSSH use PAM. I believe the Solaris telnetd and
> friends do as well, yes, even with kerberos-authenticated clients. The
> key is to either not bother calling pam_authenticate() (the user *is*
> authenticated already) or call it but use a PAM_SERVICE name configured
> to just return PAM_SUCCESS immediately from pam_authenticate().

> And the point of this is that kerberized network daemons can use
> pam_setcred() to share a clients' credentials with interested
> modules, such as AFS PAM modules, say. :)

-- So long as they don't use the return value from pam_setcred() in
deciding whether to grant access to a service when the user has already
been authenticated through a mechanism other than PAM.

Steve Langasek
postmodern programmer



More information about the Kerberos mailing list