pam-krb5 3.6 released
Sam Hartman
hartmans at MIT.EDU
Thu Sep 20 13:00:42 EDT 2007
>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at sun.com> writes:
Nicolas> On Wed, Sep 19, 2007 at 08:06:42PM +0100, Markus Moeller
Nicolas> wrote:
>> Did you have a chance to look at the keytab verification
>> problem I mentioned some time ago ? Right now you need to have
>> a host/fqdn entry to verify the tickets, but this means the
>> application needs to run as root (Assuming verify_ap_req_nofail
>> is set to true which I think should be the default for pam
>> anyway)
Nicolas> Solaris PAM requires that PAM functions be called with
Nicolas> all [zone] privileges asserted. It's a very good
Nicolas> simplifying assumption that PAM modules will need
Nicolas> privilege, and PAM being pluggable, the framework and the
Nicolas> application cannot know a priori which privileges a
Nicolas> module might need. I would apply the same constraint to
Nicolas> Linux-PAM.
Nicolas> Applications like screen savers must either be part of
Nicolas> the trusted base, and setuid or what-have-you, or they
Nicolas> must be able to use a helper process to handle
Nicolas> authentication.
We've been unab/unable to convince the Linux community of this.
Very very frustrating.
More information about the Kerberos
mailing list