[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Using PAM to managed shared authentication

After doing some reading in the PAM docs I'm starting to think that it
would be a good solution for a shared passwd management problem we are
having. We have several machines which will have the same accounts,
some that can login, some that can't.

I'd like to do something like this, but I seem to be running into some

On the interactive shell machine use kerberos (or perhaps radius) to
provide primary authentication with fallback to a small shadow collection
that would be used by admin folk in case the kerberos server was out
of reach.

On a mail server use kerberos to provide authentication for a pop
server, but disable login except for people in a shadow file.

Both of these things seem theoretically possible, and I have it
working for someone who has both a kerberos instance and an entry in
the shadow file. For someone who is only list in the passwd file and
has a kerberos entry I can get login to work, but I don't seem to know
what I'm doing when it comes to setting up passwd. The problem seems
to be in getting PAM to be aware of someone who is not listed in the
shadow file.

Having a system where there are two passwd binaries, one that only
does kerberos, and one that does both kerberos and shadow, is
acceptable, but I'm not quite sure how that would work either.

I think I'm probably missing something fundamental about how all this
works. If you have any input I would be very grateful. Both comments
on the particulars as well as thoughts on the overall idea. If you
know of a better way to do what we are trying to do I'd love to hear
that too (we don't want to do NIS).


Chris Dent SysThug
Kiva Networking

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []