pam_krb5 for AIX

Markus Moeller huaraz at moeller.plus.com
Fri Jul 15 16:11:38 EDT 2011


I think ignore_k5login  together with no_ccache should achieve the same.

Markus


"Sonja Benz" <sonja.benz at de.ibm.com> wrote in message 
news:mailman.136.1310760521.7172.kerberos at mit.edu...
It allows user logins for user not known to the local host. In our case we
want to use Kerberos as a kind of central and secure storage for user
passwords. The user is able to authenticate via pam_krb5, but will gain
host access for another identity / role.

The manual page of Fedora pam_krb5 and the option no_user_check:

no_user_check
              tells  pam_krb5.so  to  not  check if a user exists on the
local
              system, to skip authorization checks using the  user?s
.k5login
              file,  and to create ccache files owned by the current
process?s
              UID.  This is  useful  for  situations  where  a
non-privileged
              server  process  needs  to  use Kerberized services on
behalf of
              remote users who may not have local access.  Note  that such
 a
              server  should  have  an encrypted connection with its
client in
              order to avoid allowing the user?s password to be
eavesdropped.

Sonja



From:
Russ Allbery <rra at stanford.edu>
To:
Sonja Benz/Germany/IBM at IBMDE
Cc:
kerberos at mit.edu
Date:
07/15/2011 09:50 PM
Subject:
Re: pam_krb5 for AIX



Sonja Benz <sonja.benz at de.ibm.com> writes:

> That's great. We need a pam_krb5 which supports an option like
> "no_user_check". I guess, yours does not?

What does that option do?

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>





More information about the Kerberos mailing list