pam_krb5 for AIX

Russ Allbery rra at stanford.edu
Fri Jul 15 16:15:16 EDT 2011


Sonja Benz <sonja.benz at de.ibm.com> writes:

> It allows user logins for user not known to the local host. In our case
> we want to use Kerberos as a kind of central and secure storage for user
> passwords. The user is able to authenticate via pam_krb5, but will gain
> host access for another identity / role.

Thanks!

If the user doesn't exist on the local system, most of the behavior of
no_user_check is the default behavior for my pam-krb5 module.  It only
does authorization checks if the authenticating username exists as a local
account on the system and assumes that, if it doesn't, either the intended
use case is the one you describe or some other PAM module will notice that
the account doesn't exist and do the appropriate thing.

Note that pam_setcred will fail, however, for non-local accounts (since it
generally doesn't make sense to write out a ticket cache for a non-local
account).  That's the one part of this option that I don't support
currently.  Do you need to have a ticket cache created on local disk for
the user after authentication, or do you just need to verify
authentication?

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list