pam_krb5 for AIX

Fri Jul 15 16:06:25 EDT 2011

It allows user logins for user not known to the local host. In our case we 
want to use Kerberos as a kind of central and secure storage for user 
passwords. The user is able to authenticate via pam_krb5, but will gain 
host access for another identity / role. 

The manual page of Fedora pam_krb5 and the option no_user_check:

no_user_check
              tells  pam_krb5.so  to  not  check if a user exists on the 
local
              system, to skip authorization checks using the  user?s 
.k5login
              file,  and to create ccache files owned by the current 
process?s
              UID.  This is  useful  for  situations  where  a 
non-privileged
              server  process  needs  to  use Kerberized services on 
behalf of
              remote users who may not have local access.  Note  that such 
 a
              server  should  have  an encrypted connection with its 
client in
              order to avoid allowing the user?s password to be 
eavesdropped.

Sonja

From:
Russ Allbery <rra at stanford.edu>
To:
Sonja Benz/Germany/IBM at IBMDE
Cc:
kerberos at mit.edu
Date:
07/15/2011 09:50 PM
Subject:
Re: pam_krb5 for AIX

Sonja Benz <sonja.benz at de.ibm.com> writes:

> That's great. We need a pam_krb5 which supports an option like 
> "no_user_check". I guess, yours does not?

What does that option do?

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>