pam_krb5 for AIX
Sonja Benz
sonja.benz at de.ibm.com
Fri Jul 15 16:51:24 EDT 2011
Pure authentication is what I need, ticket cache is not needed.
Sonja
From:
Russ Allbery <rra at stanford.edu>
To:
Sonja Benz/Germany/IBM at IBMDE
Cc:
kerberos at mit.edu
Date:
07/15/2011 10:15 PM
Subject:
Re: pam_krb5 for AIX
Sonja Benz <sonja.benz at de.ibm.com> writes:
> It allows user logins for user not known to the local host. In our case
> we want to use Kerberos as a kind of central and secure storage for user
> passwords. The user is able to authenticate via pam_krb5, but will gain
> host access for another identity / role.
Thanks!
If the user doesn't exist on the local system, most of the behavior of
no_user_check is the default behavior for my pam-krb5 module. It only
does authorization checks if the authenticating username exists as a local
account on the system and assumes that, if it doesn't, either the intended
use case is the one you describe or some other PAM module will notice that
the account doesn't exist and do the appropriate thing.
Note that pam_setcred will fail, however, for non-local accounts (since it
generally doesn't make sense to write out a ticket cache for a non-local
account). That's the one part of this option that I don't support
currently. Do you need to have a ticket cache created on local disk for
the user after authentication, or do you just need to verify
authentication?
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list