pam-krb5 4.5 released

Stephen Frost sfrost at snowman.net
Fri Feb 10 15:35:24 EST 2012 

Russ, all,

* Russ Allbery (rra at stanford.edu) wrote:
> I'm pleased to announce release 4.5 of pam-krb5.

  As this is the users list that pam-krb5 is announced on, I figured
  this would be an alright place to ask a few questions about both it
  and the MIT KDC.

  First- I *think* I've done everything correct to get pam-krb5 to use
  FAST (which is to say, set up k5start, verified it gets a valid
  ticket, configured krb5.conf w/ the fast_ccache parameter, etc), but I
  have no idea how to tell if it's *actually* getting used.  I'm using
  the 'stock' config of the MIT KDC from Ubuntu, with the slight caveat
  that I made the RSA SDK available, so it includes SAM2 and secureID
  support.

  Regarding securID support- that all seems to be working just fine from
  kinit and through ssh/pam-krb5 (with ChallengeResponse and PAM
  enabled, of course).  However, as you might expect, both pam-krb5 (as
  tested with OpenSSH) and kinit prompt for the principal's 'normal'
  password before prompting for the token code (and it cares- it won't
  work if you don't provide the correct PW).

  Is there any way to eliminate the need for this first password?  I had
  been hoping that FAST would take care of it, or that, with FAST, I
  could remove the "requires_preauth" flag from the princ and that it
  wouldn't require the initial password, but neither of those seemed to
  work.  Would the pkinit approach work better to allow this setup to
  work as I desire?

  Any thoughts or pointers on this would really be appreciated.  I feel
  very, very close to having a good, working solution which leverages
  Kerberos, RSA/securID, and SSH.  I've been hoping for this combination
  to work nicely for, literally, *years*.

  	Thanks!

		Stephen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20120210/258ad2cb/attachment.bin

More information about the Kerberos mailing list