pam-krb5 2.5 released
Douglas E. Engert
deengert at anl.gov
Mon Nov 13 17:34:51 EST 2006
David Pullman wrote:
> Russ Allbery wrote:
>
>>I'm pleased to announce release 2.5 of my Kerberos v5 PAM module.
>>
>>pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
>>It supports ticket refreshing by screen savers, configurable authorization
>>handling, authentication of non-local accounts for network services,
>>password changing, and password expiration, as well as all the standard
>>expected PAM features. It works correctly with OpenSSH, even with
>>ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
>>supports configuration either by PAM options or in krb5.conf or both.
>>
>>Changes from previous release:
>>
>> Don't free the results of pam_get_item(PAM_AUTHTOK) when changing
>> passwords. Thanks, Arne Nordmark.
>>
>> Be a bit more thorough when checking authorization in
>> pam_sm_acct_mgmt. Re-retrieve the value of user in case the
>> application changed it, and if we have a ticket cache (we may not even
>> after a successful authentication if no_ccache was specified),
>> retrieve the principal from it rather than using the principal from
>> the context.
>>
>> Overwrite passwords with 0 before freeing them, just out of paranoia
>> (and because PAM also does this internally).
>>
>>You can download it from:
>>
>> <http://www.eyrie.org/~eagle/software/pam-krb5/>
>>
>>Debian packages have been uploaded to Debian unstable and will hopefully
>>also be in the upcoming etch release.
>>
>>Please let me know of any problems or feature requests.
>>
>
>
> Where I work we are migrating to a Kerberos authentication solution from
> NIS. The newer systems are doing fine, but we have some "legacy"
> Solaris 8 and 9 boxes that will need to be around for perhaps a couple
> of years.
>
> Our hope is to try and get a decent pam setup on the Solaris boxes so we
> can use them without having to maintain NIS passwd just for them. In
> testing we found that Solaris pam-krb5 seems to need to have host
> principles, and that it takes 30 to 40 seconds to get through a dt login.
The host principal is needed to avoid an attack where the
attacker impersonates the KDC, as well as the user.
30 to 40 seconds sounds long. It might be that the code tries to
contact a KDC that is not present, and falls over to trying a second
one.
>
> I noticed mention of Solaris in the README and change summary. Is it
> possible to use this pam-krb5 with S8 or S9? In some initial attempts
> at this, it would seem that it will only compile with MIT libraries
> available, as if the Solaris krb is not sufficient, at least prior to
> S10?
It should work. On Solaris 6, 7, 8 and 9 we have used a different
pam_krb5 and the MIT Kerberos. On Solaris 10 we are using the Solaris
pam_krb5 and Kerberos.
The older SEAM kerberos has some restrictions, like not supporting
newer enc-types, or TCP to the KDC all of which are suggested if you
are trying to use Windows as the KDC.
If anyone has any experience with this, or suggestions, I would be
> most appreciative.
>
> Thanks very much.
>
> --
> David Pullman
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list