Future of kerberised telnet, login, rsh, ftp?

Ken Hornstein kenh at cmf.nrl.navy.mil
Thu Jul 7 10:01:40 EDT 2005

>That I was meaning in regard to kerberised /sbin/login.  BTW, do people
>ever try to do kerberised gdm/xdm without PAM?

Absolutely (especially if you want to use a platform that doesn't
support PAM).  The PAM support I saw for xdm wasn't sufficient for our
needs (it didn't implement the whole PAM conversation, and as a result
it couldn't support additional prompts by the Kerberos library for
doing things like password changes).  This may no longer be an issue
today, but still ...  I have this code out there, it works fine,
supports all of the platforms I use, and does all of the wacky stuff I
need to do at login time ... why would I _not_ use it?

>Now I know the world doesn't run PAM, but isn't that the place for a PAM
>account module?  (Perhaps one of the few things PAM does particularly

The authorization checks I need to perform are all based on specific fields
in the Kerberos ticket.  At the time I looked at it, I didn't really see a
way to make the decrypted service ticket available to the PAM account
module, but I will admit that I'm not a PAM wizard.

That aside ... in general, I've found that the less code I need to
maintain, the less work I have to do.  If I have to maintain a PAM
module for some systems and my own wacky crap for other systems, to me
that's more work for what I can tell is zero gain.  If we were a
Linux-only shop, it would be a different call.


More information about the krbdev mailing list