.k5login wildcard
Sam Hartman
hartmans at MIT.EDU
Wed Oct 22 10:24:43 EDT 2003
>>>>> "Tim" == Tim Alsop <Tim.Alsop at cybersafe.ltd.uk> writes:
Tim> Michael, Would you be interested in a pam authorisation (not
Tim> authentication) module that allowed you to store and manage
Tim> this account name mapping information centrally in an ldap
Tim> directory (or other central repository of information) ? You
Tim> would not need to manage .k5login files in user home
Tim> directories on 2000 machines if this was available ?
a PAM account module is not the right place for this. Consider what
happens when I ssh into a machine using GSSAPI authentication. I pass
along my credentials and authenticate my principal to the server
principal on the remote side.
PAM does not provide a standardized way to let the account modules
know what the Kerberos authentication identity is. Nor does it really
seem safe to use PAM for this purpose even with some non-standard PAM
item to convey the principal. I really want to make sure that at
least one account module considered the principal and validated the
mapping. The failure mode where say only pam_unix.so is in the
account stack and anyone gets in as any user they wish seems very
unappealing.
More information about the Kerberos
mailing list