[19782] in Kerberos
Re: which krb5 PAM module on Solaris 8?
daemon@ATHENA.MIT.EDU (Balazs GAL)
Sat Aug 9 09:06:25 2003
Message-ID: <3F34EF27.2010806@rit.bme.hu>
Date: Sat, 09 Aug 2003 14:55:03 +0200
From: Balazs GAL <balsa@rit.bme.hu>
MIME-Version: 1.0
To: Tim Mooney <mooney@dogbert.cc.ndsu.NoDak.edu>
In-Reply-To: <Pine.OSF.4.53.0308041345260.15578@dogbert.cc.ndsu.NoDak.edu>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
Tim Mooney írta:
>
>>PAM has hooks for this; they work about as well as the rest of PAM.
>
>
> In your opinion, how well is that?
I recommend that use nss groups as the source db of the authorization,
and use pam_access for authorization.
> As you can see, though, to fully function within this system, I'm in need
> of a PAM module that can essentially do "username conversion" as part of
> the authentication phase, because what a user supplies at the telnet
> prompt as their username may not be what their actual underlying
> identifier is on the system (and it may not be what is used as part of
> Kerberos 5 authentication, so the "username conversion" needs to happen
> *in* the authentication phase)
>
> It's my understanding that the PAM API supports this feature (i.e. who
> you supply at a login prompt may be different from your underlying ID on
> the box),
> but most PAM modules don't bother to call whatever function it
> is that PAM has that does the username conversion. I'm not (yet) a PAM
> guru, though, so I could be wildly mistaken.
pam don't have such a function. The pam modules uses PAM_USER as
username, and you can preset or alter PAM_USER from any app or from a
pam module.
But it's true, that it is not a common usage.
One sollution may be, that you write a pam module which promt for the
username (it will get Tim.Mooney), then make a lookup in ldap and
convert it to POSIX username (mooney) and store it as PAM_USER.
I saw such a module and with well written pam aware application it can work.
The main problem can be with it, that e.g the application will get the
username itself, and store it internaly (independent from pam) and then
try to use it as POSIX user name (e.g pam aware poppasswd).
> That's why I believe I need a source-available pam_krb5 module for
> authentication, instead of going with something like SEAM's authentication
> module. If I'm wrong, I would love to hear about it.
No, the problems here are not with pam modules, they will simple use
PAM_USER, and if you alter it with a preexistent pam module, then it
works well.
The problems are here with the application.
So even if you write your own pam_krb5, then you will have problems with
apps (and Solaris have many broken pam aware application).
> For the particular Solaris box in question, it's not currently doing the
> electronic ID to POSIX username conversion anyway, so it's not fully
> functioning as part of the Hurderos system right now.
I strongly recommend that dont use anywhere the "Hurderos IAA usernames".
> Users that want to
> authenticate to that system are required to know and use their POSIX
> username.
Yes, but it will work. :)
> Tim
balsa
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
