.k5login wildcard

Sam Hartman hartmans at MIT.EDU
Wed Oct 22 10:24:43 EDT 2003

>>>>> "Tim" == Tim Alsop <Tim.Alsop at cybersafe.ltd.uk> writes:

    Tim> Michael, Would you be interested in a pam authorisation (not
    Tim> authentication) module that allowed you to store and manage
    Tim> this account name mapping information centrally in an ldap
    Tim> directory (or other central repository of information) ? You
    Tim> would not need to manage .k5login files in user home
    Tim> directories on 2000 machines if this was available ?

a PAM account module is not the right place for this.  Consider what
happens when I ssh into a machine using GSSAPI authentication.  I pass
along my credentials and authenticate my principal to the server
principal on the remote side.

PAM does not provide a standardized way to let the account modules
know what the Kerberos authentication identity is.  Nor does it really
seem safe to use PAM for this purpose even with some non-standard PAM
item to convey the principal.  I really want to make sure that at
least one account module considered the principal and validated the
mapping.  The failure mode where say only pam_unix.so is in the
account stack and anyone gets in as any user they wish seems very

More information about the Kerberos mailing list