Kerberized authorization service

Edward Murrell edward at murrell.co.nz
Tue Jan 22 00:38:50 EST 2008


Sounds like something that would be better served using LDAP groups,
that way it could hook into existing infrastructure.

However, the current PADL pam implementation (last I looked anyway)
wasn't especially brilliant at providing control for lots of hosts with
lots of users. It was possible to cobble something together
using /etc/security/access.conf, but it always felt... odd. Maybe look
into updating that?

Cheers,
Edward

On Mon, 2008-01-21 at 14:36 -0800, Jos Backus wrote:
> 
> The server:
> - accepts some client-generated request (containing service,
>   principal/username, hostname, etc.) over TCP;
> - sends this data to a backend application;
> - receives the response ('authorized' or 'not authorized') from the
> backend;
> - relays the response to the client.
> 
> The client is called by pam_exec from the account group, so it has
> access to
> the username; the realm could be supplied on the command line. The
> client
> could try multiple authorization servers to ensure availability.
> 
> The backend application could simply query a database which is
> maintained by
> another application (presumably with an easy to use web frontend).
> 
> Thoughts? Would I be better off using GSSAPI instead?




More information about the Kerberos mailing list