[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAM and Kerberos



On Mon, Aug 14, 2000 at 05:23:40PM -0400, Bill Sommerfeld wrote:
> > There is a desire to allow credentials to be forwarded after the
> > connection is established.  In this situation you really have no
> > choice but to tamper with the credentials cache as root.  
> 
> I can think of a number of ways of doing this which avoid the need to
> tamper with the credentials cache as root.  (get telnetd to setuid to
> the authenticated user; do all the cred cache maintainance in a forked
> copy of login; ...)
> 
> 					- Bill

The credentials could be passed to PAM_KRB5 through the exec() barrier
in any number of ways. They could be passed in the environment (encoded
in, say, base64); they could passed in an open file descriptor of a
zero-link file; something like Windows 2000's LSA service could be
implemented, perhaps with the help the kernel. Etc...

If it's possible to pass the credentials in the environment, then that's
probably the easiest way to do it, provided that there's a way to remove
them from the environment after PAM_KRB5 creates the credentials cache
file (it should be possible, even without /bin/login's help).

As an aside: /bin/login usually removes or defaults certain variables in
the environment, but usually it does so using a static internal list; it
would be nice if there way a way for the administrator to specify
additional variables to be removed from the environment prior to
execing the user's shell.

Nico
--





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []