[33153] in Kerberos
Re: pam-krb5.so
daemon@ATHENA.MIT.EDU (Russ Allbery)
Thu Jan 27 01:53:55 2011
From: Russ Allbery <rra@stanford.edu>
To: "kerberos\@mit.edu" <kerberos@mit.edu>
In-Reply-To: <4D41142B.2010803@cbnco.com> (Tom Parker's message of "Thu, 27
Jan 2011 01:43:55 -0500")
Date: Wed, 26 Jan 2011 22:53:49 -0800
Message-ID: <877hdqet1e.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Tom Parker <tparker@cbnco.com> writes:
> I am wondering if the account
> account required pam_krb5.so minimum_uid=1000
> line is required at all in common-account if I am using LDAP for access
> control. it seems to be doing nothing on my systems and my login
> behaviour does not change if this line is commented out.
All the checks that the pam_krb5 module does during the account group it
also does during the auth group, so indeed this check doesn't really do
much exciting for you (although it also doesn't hurt). Note: this
statement only applies when using the default options. If you set
defer_pwchange, you have to have an account group configured or you'll
have some security holes.
> What checks are being performed here that are needed?
> auth sufficient pam_krb5.so minimum_uid=1000
This is what's authenticating your users, assuming you're using Kerberos
passwords.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
