pam-krb5 3.5 released

Markus Moeller huaraz at moeller.plus.com
Fri Jun 1 14:54:41 EDT 2007


Russ,

can I make two feature requests ?

We have applications using pam for user authentication who want to move to 
Kerberos. pam-krb5 would be a good option but I have two problems:

1) The application runs as non root and I'd like to use the keytab check to 
verify that it came from the right kdc. At the moment your code allows to 
change the keytab file itself but not the service. It always looks for the 
host principal. Can you add an option to change this to another principal so 
I can keep the system keytab only accessible by root.

2) Since the application doesn't need to check the existence of the user on 
the OS can you add an option to not use the OS user check with getpwnam ( as 
you mention in the code it means pam_setcred and pam_open_session don't 
work, but that would not be needed anyway) ? I would need only the auth and 
account feature of pam.

Thanks
Markus

"Russ Allbery" <rra at stanford.edu> wrote in message 
news:87bqhvhjk0.fsf at windlord.stanford.edu...
> I'm pleased to announce release 3.5 of pam-krb5.
>
> pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
> It supports ticket refreshing by screen savers, configurable authorization
> handling, authentication of non-local accounts for network services,
> password changing, and password expiration, as well as all the standard
> expected PAM features.  It works correctly with OpenSSH, even with
> ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
> supports configuration either by PAM options or in krb5.conf or both.
>
> Changes from previous release:
>
>    Don't try to chown non-FILE ticket caches, which among other things
>    breaks using pam-krb5 with Heimdal KCM caches.  Thanks, Jeremy
>    Jackson.
>
>    When logging session deletion via pam_setcred or pam_close_session,
>    don't look for the username in the PAM context after it's been freed.
>    Thanks, Markus Moeller.
>
>    Map more Kerberos status codes to PAM status codes for authentication
>    errors.
>
> You can download it from:
>
>    <http://www.eyrie.org/~eagle/software/pam-krb5/>
>
> Debian packages have been uploaded to Debian unstable.
>
> Please let me know of any problems or feature requests not already listed
> in the TODO file.
>
> -- 
> Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 






More information about the Kerberos mailing list