separate keytab for pam_krb5
Mantas M.
grawity at gmail.com
Sun Jan 22 09:52:46 EST 2012
On 2012-01-21 22:44, Russ Allbery wrote:
> The right solution to the problem is to have a local oracle that the PAM
> module can authenticate to and which will tell the PAM module whether the
> credentials are valid. That oracle can then run in a separate security
> context as root and have access to the keytab. I plan on adding such
> functionality to my PAM module once I find some time, but I haven't gotten
> a chance to work on it yet. (I want to have a daemon that listens on a
> UNIX domain socket. It would be somewhat simpler to provide a setuid
> helper program, but I think that's a much higher security risk.)
AFAIK, Fedora's `sssd` contains similar functionality -- the PAM and NSS
modules only contact a daemon running as root.
(Please excuse duplicate messages; I had forgotten again about the
"Reply to List" command...)
--
Mantas M.
More information about the Kerberos
mailing list