Thoughts on initial ticket acquisition/verification on Sun (slightly OT)
fcusack at fcusack.com
Thu Nov 17 03:06:54 EST 2005
On November 16, 2005 5:12:01 PM -0800 "Henry B. Hotz" <hotz at jpl.nasa.gov> wrote:
> I just finished an auth plugin for Sun LDAP 5.2 that will accept a simple bind username/password
> and verify it against a K5 server.
Nice. Will you be making the code available? I'd very much like to see it.
> Nico suggested that I consider using PAM for this function.
Deficiencies in Sun's or other pam_krb5's aside, most applications leak
memory on PAM authentications. The responses (the 'resp' argument to
the pam conversation function) are generally leaked. For fork/exec
applications, the authentication happens in the forked child so this
usually goes unnoticed.
It seems unlikely to me that Sun LDAP 5.2 uses a fork/exec model, so you
should verify that the Sun LDAP 5.2 server does not leak these before
going the PAM route. Running the LDAP server with libumem might be able
to show leaks.
More information about the krbdev