pam-krb5 3.6 released

Sam Hartman hartmans at MIT.EDU
Thu Sep 20 13:00:42 EDT 2007


>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at sun.com> writes:

    Nicolas> On Wed, Sep 19, 2007 at 08:06:42PM +0100, Markus Moeller
    Nicolas> wrote:
    >> Did you have a chance to look at the keytab verification
    >> problem I mentioned some time ago ?  Right now you need to have
    >> a host/fqdn entry to verify the tickets, but this means the
    >> application needs to run as root (Assuming verify_ap_req_nofail
    >> is set to true which I think should be the default for pam
    >> anyway)

    Nicolas> Solaris PAM requires that PAM functions be called with
    Nicolas> all [zone] privileges asserted.  It's a very good
    Nicolas> simplifying assumption that PAM modules will need
    Nicolas> privilege, and PAM being pluggable, the framework and the
    Nicolas> application cannot know a priori which privileges a
    Nicolas> module might need.  I would apply the same constraint to
    Nicolas> Linux-PAM.

    Nicolas> Applications like screen savers must either be part of
    Nicolas> the trusted base, and setuid or what-have-you, or they
    Nicolas> must be able to use a helper process to handle
    Nicolas> authentication.

We've been unab/unable to convince the Linux community of this.
Very very frustrating.



More information about the Kerberos mailing list