[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAM and Kerberos



Could telnetd create the cache file and keep it open, thus obviating the
need for it to know its future file name? Or perhaps an open Unix socket
that PAM_KRB5 could use to communicate back to telnetd.

If this can be done strictly through PAM and specifying some
requirements for /bin/login, then a /bin/login that behaves like Solaris
2.6's (or later) would do fine, provided there's a suitable PAM_KRB5...

Another alternative is to suck /bin/login into telnetd. But if this
problem can be solved between telnetd and PAM, then there's no need to
replace a vendor's /bin/login, provided that /bin/login does the Right
Things (tm) with PAM.

Nico


On Tue, Aug 15, 2000 at 11:51:29AM -0400, Jeffrey Altman wrote:
> > I had no idea that telnetd could do this.
> 
> The current one does not, but I am working on one that does (with Ken
> Raeburn).
> 
> > This presents a problem though, doesn't it? If /bin/login does all the
> > work, then how can telnetd find what name was ultimately given to the
> > credentials cache file, or even if login succeed at all?
> 
> Bingo.  You have hit the nail on the head.  Right now the way things
> work is that telnetd creates the credential cache file and passes its
> name as an environment variable.  /bin/login (the customized version) 
> changes the ownership of the credential cache file before it executes
> the user's shell.
> 
> So /bin/login is not doing all of the work.  Just part of it.  telnetd
> is very well aware of the name of the cache file.  It just needs to
> switch to the user's account, update the file, and switch back to
> 'root'.  The problem is that telnetd does not necessarily know the
> account the user is logged into.  This can be the case when the user
> authenticates but does not specify a username to use for login; or if
> the username specified is not authorized for the provided credentials.
> 
> 
> 
>                   Jeffrey Altman * Sr.Software Designer
>                  The Kermit Project * Columbia University
>                612 West 115th St * New York, NY * 10025 * USA
>      http://www.kermit-project.org/ * kermit-support@kermit-project.org
> 
--





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []