[30542] in Kerberos
Re: Kerberos auth based on ticket
daemon@ATHENA.MIT.EDU (Simo Sorce)
Tue Dec 16 09:12:16 2008
From: Simo Sorce <ssorce@redhat.com>
To: "Rowley, Mathew" <Mathew_Rowley@cable.comcast.com>
In-Reply-To: <7372D9734C591745A4C1D81017D5ABF6090F6B3C@NJCHLEXCMB01.cable.comcast.com>
Date: Tue, 16 Dec 2008 09:11:20 -0500
Message-Id: <1229436680.3687.81.camel@localhost.localdomain>
Mime-Version: 1.0
Cc: kryanth@gopc.net, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, 2008-12-16 at 08:37 -0500, Rowley, Mathew wrote:
> If you have a kerberos ticket, and ssh to a box that has GSSAPI
> enabled, will that pass through/disregard the PAM stack?
It will skip only the auth target (and there is no other way because you
are not providing a password the auth target can use).
If you set UsePAM yes it should still go through the account and session
targets, so that you can do proper access control/accounting/session
handling.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
