Future of kerberised telnet, login, rsh, ftp?
kenh at cmf.nrl.navy.mil
Thu Jul 7 10:01:40 EDT 2005
>That I was meaning in regard to kerberised /sbin/login. BTW, do people
>ever try to do kerberised gdm/xdm without PAM?
Absolutely (especially if you want to use a platform that doesn't
support PAM). The PAM support I saw for xdm wasn't sufficient for our
needs (it didn't implement the whole PAM conversation, and as a result
it couldn't support additional prompts by the Kerberos library for
doing things like password changes). This may no longer be an issue
today, but still ... I have this code out there, it works fine,
supports all of the platforms I use, and does all of the wacky stuff I
need to do at login time ... why would I _not_ use it?
>Now I know the world doesn't run PAM, but isn't that the place for a PAM
>account module? (Perhaps one of the few things PAM does particularly
The authorization checks I need to perform are all based on specific fields
in the Kerberos ticket. At the time I looked at it, I didn't really see a
way to make the decrypted service ticket available to the PAM account
module, but I will admit that I'm not a PAM wizard.
That aside ... in general, I've found that the less code I need to
maintain, the less work I have to do. If I have to maintain a PAM
module for some systems and my own wacky crap for other systems, to me
that's more work for what I can tell is zero gain. If we were a
Linux-only shop, it would be a different call.
More information about the krbdev