[33157] in Kerberos
Re: pam-krb5.so
daemon@ATHENA.MIT.EDU (Russ Allbery)
Thu Jan 27 15:06:55 2011
From: Russ Allbery <rra@stanford.edu>
To: "kerberos\@mit.edu" <kerberos@mit.edu>
In-Reply-To: <20110127074523.GA7431@talktalkplc.com> (Brian Candler's message
of "Thu, 27 Jan 2011 07:45:23 +0000")
Date: Thu, 27 Jan 2011 12:06:51 -0800
Message-ID: <87bp32kt5w.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Brian Candler <B.Candler@pobox.com> writes:
> As I understand it, pam_krb5 is basically a password checker; it uses
> the password you supply to acquire a Kerberos ticket, and as a
> side-effect lets you login if it was able to acquire one. That's the
> "auth" functionality anyway. The "account" functionality is a bit more
> subtle. According to the manpage: http://linux.die.net/man/8/pam_krb5
> "If the module did participate in authenticating the user, it will check
> for an expired user password and verify the user's authorization using
> the .k5login file of the user being authenticated, which is expected to
> be accessible to the module."
It had better be doing this in the auth action as well, since otherwise
there are going to be vulnerabilities in practice. The account group
isn't as consistently and properly used as it should be.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
