[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAM and Kerberos

Nicolas Williams wrote:
> On Sun, 20 Aug 2000, Jeffrey Altman <jaltman@columbia.edu> wrote:
> > > Ok: I requested to login as scott, but lately entered "fred"
> > > as username and fred's password.
> > >
> > > I think that this situation is also possible with kerberized
> > > telnet, _especially_ when PAM concerned: if administrator rejects
> > > someone's access to the system (using pam_listfile etc etc),
> > > 1st login attempt will fail, and after this login will prompt
> > > for a username.  But note that if that second username will be
> > > not the same as first one, we can have at least strange things
> > > with kerberos tickets (yes, if second time login will "fallback"
> > > to plain password auth): Fred on remote machine will have access
> > > to scott's tickets etc.
> >
> > This behavior is by design.  It allows the user to authenticate to the
> > system with their credentials (scott) but login to the account of
> > another user after proving knowledge of the user's password.
> >
> > There is nothing wrong with this.  A properly installed telnetd
> > supporting the telnet AUTH option will be configured to either allow
> > this behavior or not depending on the administrator's preferences.
> > There are four levels of acceptable login:
> Yes, but, I think Michael was writing in the context of /bin/login,
> PAMified, instead of login.krb5.

[sorry me for quoting so big part of discussion -- mjt]

Thanks Nicolas.  Exactly.  Funny things will happen then krb telnetd will
think that pamified login was autentificated scott, while
it really authentificated fred.  And this was an argument for having
pamified liblogin used inside telnetd directly, where this sort of
stuff will be fully controlled.  I don't know if this is bad to have
access to scotts tickets as a fred, but at least it is funny enouth
to take care of this.

Note also that telnetd/login can't just ignore administrator's settings
in pam.  This is a bad thing (tm?).


[Kerberos tickets, shared memory, /tmp files]
I does not know about kerberos at all, sorry me.  I see to this from
other perspective, not from "inside" kerberos.  I'm not a kerberos
developer, and not a subscriber to krbdev.  I just noted what was
in mind about subject.

But thanks god that krbdev list accepts postings from non-members
(that I can't say about pam-list, isn't it? -- I see only messages
from Nicolas here) and thanks Nicolas -- I was very glad to see
this "cross-list" discussion, and to see that people (tries to)
cooperates together.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []