Kerberos / PAM Usage ?

Dr. Greg Wettstein greg at wind.enjellic.com
Fri Sep 19 13:33:00 EDT 2003


On Sep 18,  6:26pm, Tim Alsop wrote:
} Subject: Kerberos / PAM Usage ?

> Hi,

Good morning to Tim and everyone on the list.

> I am looking for advice and feedback from the Kerberos community in
> relation to UNIX, PAM and Kerberos. If you can provide me with some
> feedback based on your views and experiences it would be very much
> appreciated.
>
> It is clear that PAM is becoming a common way to provide pluggable
> authentication services on UNIX or Linux operating systems. I am
> particularly interested in PAM for authorisation and wanted to hear
> from you about this. If you can help me, please provide feedback on
> the points listed below :

Fascinating.

Its been my experience that people in the industry don't seem to
understand authorization or perhaps don't understand the technology
when they see it.

I've been working for about five+ years on the issue, a few
reflections FWIW, on what I have encountered.

> 1. Do you, or the company you represent use Kerberos, or are you
>    considering using Kerberos with PAM for authorisation, authentication,
>    or both authentication and authorisation.

Yes.

My interest has been on addressing issues which allow Kerberos to be
used to synergize an open-architecture authorization scheme.

>    Note: Currently PAM with Kerberos can be used for authentication so
>    that login to the operating system directly at console, or via telnet
>    can be handled consistently. The use of PAM for authorisation would
>    involve checking .k5login files in home directories and/or using an
>    aname database on each system, or perhaps some other form of
>    mechanism.

PAM is actually not carrying out Kerberos authentication, at least not
with the pam_krb5 module which everyone seems to be using.  Instead
PAM is using Kerberos to do validation of authentication tokens,
ie. passwords.  There are actually well taken purists who will claim
that using Kerberos with PAM is inherently evil in a strict security
context.

I don't think that using .k5login files as the basis for PAM
authorization makes sense or is scalable.  There is already a well
understood role for the .k5login files.  Extending them to implement
any type of significant authorization strategy would require either
changing the semantics of a widely used system or crafting extensions
on top of it.  Given the complexity of issues that a proper
authorization system needs to deal with the latter course would be a
poor architectural decision.

Maintaining an aname database on each system is also not scalable and
questionable from a security perspective.  Directory services, ie
LDAP, is really the appropriate technology to craft any type of
significant authorization system on.

> 2. If you are using, or considering using PAM for authorisation I
>    would like to hear if you using it with .k5login files, or checking
>    authorisation via an LDAP lookup, or some other method. Can you
>    provide details of your usage, or intended usage of PAM for
>    authorisation ?

The industry has two well understood technologies on which to build an
open-architecture authorization strategy, Kerberos and LDAP.  Perhaps
the most important question is how to blend these technologies in an
appropriate fashion which synergizes the strengths of each component
technology.

This is what the Hurderos Project is focusing on.  In IDfusion
authorization flows directly from a strong identity generation model.
Kerberos is used to authenticate both the fundamental (user, service,
server) and derived (authorization) identities.

The Hurderos source release includes a hurderos_pam module which
implements the IDfusion authorization model using a combination of
both Kerberos and LDAP technologies.  One of the questions which
arises is which of the four PAM phases should implement authorization.
In the case of hurderos_pam the decision was made to use the account
management phase and implement the necessary code through the
pam_sm_acct_mgmt API call.

PAM has a number of warts when an attempt is made to extend it past
authentication.  Its a useful technology but a number of issues need
to be addressed when extending it to more sophisticated identity and
authorization tasks.

Most notable is the fact that PAM has infra-structure to handle
identity translation but I have yet to see an application which has
been coded properly to handle it.  The callback system (pam_converse)
is a bit clumsy as well and tends to show its heritage as an
interactive login authentication mechanism.

I've spent a fair amount of time coding up patches to common
applications to allow their PAM support to implement identity
translation and a more sophisticated authorization strategy.  These
will be included in the source release.

I've had some interesting conversations with implementors of ERP
solutions on the subject of authorization.  By and large both the
open-source community and proprietary solution providers need to do a
lot of thinking before code-bases are ready to handle authorization in
a more sophisticated fashion.

> 3. Do you have any GSS-API enabled applications, or any Kerberos
>    enabled applications that accept a security context to determine the
>    users principal name and then use PAM for authorisation, or do you
>    have any applications that you would like have enabled in this
>    way ?

Yes, I've coded support into applications for PAM to make an
authorization decision based on a GSSAPI/KRB5 authenticated identity
token .  You haven't even begun to understand the warts of PAM
application support until you enter that domain.

Hurderos actually treats Kerberos as an authorizable service.  This is
actually an artifact of strict isolation between intrinsic and
representational identities.  From a PAM authorization perspective it
actually makes life a little bit easier.

It also makes it easy to quickly shutdown user access without
disturbing the user's authentication status.  Denying authorization
for Kerberos service effectively denies all service delivery since the
user can't authenticate themselves.

> Many thanks in advance for your help,
>
> Tim Alsop

Indeed, FWIW, it seems.

}-- End of excerpt from Tim Alsop

As always,
GW

The Hurderos Project - Open Identity and Authorization Management
------------------------------------------------------------------------------
"The vast majority of human beings dislike and even dread all notions
with which they are not familiar.  Hence it comes about that at their
first appearance innovators have always been derided as fools and
madmen."
                                -- Aldous Huxley


More information about the Kerberos mailing list