[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Logging, credentials and Kerberos modules...



I've read with interest the discussion of Kerberos & PAM on the list. Very
fascinating indeed...

I've a few questions. We're deploying an MITKerberos/LDAP domain for our
Unix machines, and all is going well - I'm packaging up the relevant
libraries and such for Solaris 7, and using the builtin modules on Solaris 8
and RedHat...

I have a working Kerberos 5 module for Solaris 7 (It's Frank Cusack's
module) and I was making some changes so it could deal with OpenSSH/Kerberos
combinations (where OpenSSH has already done the authentication via
Kerberos, and the TGT has been passes - I just wanted the session/account
portions to work...

(Is there a better module? The module I use must compile against Stock
Solaris 7 with the MIT Kerberos v1.2.1 libraries - I can't deploy linux-pam
on Solaris, for political reasons).

Things were going reasonably well, until I started to get interested in the
whole thing - what gets called with what uid at what time, so I added lots
of syslog calls in, at which point the module broke - "/dev/console owned by
root but utmp says <login>". (This would have been fine, except that BT then
decided to hang up the phone line, so the terminal I had open onto the
window closed, and I'm now locked out of the machine until Monday <sigh>).

So, what's the best way to log from inside a PAM module?

The other question I had is that the Unix credentials (uid, gid,
supplementary groups) aren't set by PAM modules - why is that?

Also, is there a diagram of the PAM process for a "typical" root-priveliged
and non-root priveliged daemon who's accepting logins, both with and without
authentication? And a list of how common apps on Solaris & Linux don't obey
that?

(e.g. Stock SSH doesn't work well with the pam_krb5 module, but OpenSSH
does. At the same time, OpenSSH appears to call pam_sm_setcred(DELETE)
*twice*, once before opening a session, once after.... <sigh>. Why?)

Some basic PAM programming introductions, basically.

Regards,
Phil

+----------------------------------+
| Phil Mayers, Network Support     |
| Centre for Computing Services    |
| Imperial College                 |
+----------------------------------+







[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []