pam-krb5 2.6 released

Markus Moeller huaraz at moeller.plus.com
Thu Dec 14 15:19:33 EST 2006


"Douglas E. Engert" <deengert at anl.gov> wrote in message 
news:4581A7BB.4090202 at anl.gov...
>
>
> Markus Moeller wrote:
>
>> Russ,
>>
>> I have a setup where I have two domains with trust and would like to have
>> users from either domain to login to my Unix machine to applications 
>> which
>> can't use GSSAPI so I need to use pam_krb5 to have some form of SSO. My 
>> Unix
>> system is in DOMAIN1.COM which is configured to be the default domain in
>> krb5.conf . I configured pam (on Solaris 2.8) as follows:
>>
>> #authentication
>> other auth sufficient      pam_krb5-2.6.so.1 minimum_uid=100 debug
>> other auth sufficient      pam_krb5-2.6.so.1 minimum_uid=100
>> realm=DOMAIN2.COM use_first_pass debug
>
> Can you actually call this twice? Some version of pam_krb5 would
> call pam_set_data(...."ctx"...) and overlay (or use) the pam_krb5
> context set by the first one. (Don't know about 2.6.)
> You could add a ctx_name option, so multiple invocations would
> use different ctx's.
>

I guess that something like that is happening, but I don't think there is a 
need to handle this via an additional option, the module should be able to 
create a new krb5_context with DOMAIN2.COM e.g. after checking that the new 
realm doesn't match the one retrieved by pam_get_data.

Markus

>
>> other auth required       pam_unix.so.1 try_first_pass debug
>> # account
>> other account sufficient   pam_krb5-2.6.so.1 minimum_uid=100 debug
>> other account sufficient   pam_krb5-2.6.so.1 minimum_uid=100
>> realm=DOMAIN2.COM debug
>> other account required    pam_unix.so.1 debug
>> # session
>> other session required     pam_default.so.1 debug
>>
>> The problem I have is that despite setting the realm to DOMAIN2.COM the
>> system always tries to connect to kdcs of DOMAIN1.COM never DOMAIN2.COM
>> despite getting an unknown user from DOMAIN1 for users of DOMAIN2 as it
>> should be. It seems that the kerberos context of the first
>> pam_sm_authenticate call is still used for the second despite changing 
>> the
>> realm.
>>
>> Thanks
>> Markus
>>
>> BTW  Is it intention to use different defines for the below ?
>>
>> # grep KRB5_GET_INIT *.[ch]
>> config.h:/* #undef HAVE_KRB5_GET_INIT_OPT_SET_DEFAULT_FLAGS */
>> support.c:#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_DEFAULT_FLAGS
>> #
>>
>>
>> "Russ Allbery" <rra at stanford.edu> wrote in message
>> news:871wnnyy8j.fsf at windlord.stanford.edu...
>>
>>>I'm pleased to announce release 2.6 of my Kerberos v5 PAM module.  This 
>>>is
>>>a bug-fix release; the feature improvements that were intended to be in
>>>this release have been deferred to the next release.
>>>
>>>pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
>>>It supports ticket refreshing by screen savers, configurable 
>>>authorization
>>>handling, authentication of non-local accounts for network services,
>>>password changing, and password expiration, as well as all the standard
>>>expected PAM features.  It works correctly with OpenSSH, even with
>>>ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
>>>supports configuration either by PAM options or in krb5.conf or both.
>>>
>>>Changes from previous release:
>>>
>>>   Don't assume the pointer set by pam_get_user is usable over the life
>>>   of the PAM module; instead, save a local copy.
>>>
>>>   Avoid a use of already freed memory when debugging is enabled.
>>>
>>>   Use __func__ instead of __FUNCTION__ and provide a fallback for older
>>>   versions of gcc and for systems that support neither.  Should fix
>>>   compilation issues with Sun's C compiler.
>>>
>>>   On platforms where we know the appropriate compiler flags, try to
>>>   build the module so that symbols are resolved within the module in
>>>   preference to any externally available symbols.  Also add the
>>>   hopefully correct compiler flags for Sun's C compiler.
>>>
>>>You can download it from:
>>>
>>>   <http://www.eyrie.org/~eagle/software/pam-krb5/>
>>>
>>>Debian packages will be uploaded to Debian unstable once I have approval
>>>from the release managers.
>>>
>>>Please let me know of any problems or feature requests not already listed
>>>in the TODO file.
>>>
>>>-- 
>>>Russ Allbery (rra at stanford.edu) 
>>><http://www.eyrie.org/~eagle/>
>>
>>
>>
>>
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>
> -- 
>
>  Douglas E. Engert  <DEEngert at anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 






More information about the Kerberos mailing list