[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAM and Kerberos

> Nicolas Williams <Nicolas.Williams@ubsw.com> writes:
> >> PAM (and PAM_KRB5) would only be called by /bin/login and /bin/su.
> >> /bin/login would call pam_authenticate() and /bin/su wouldn't. Both
> >> would call PAM's account/session management functions and PAM_KRB5's
> >> session management would handle renaming/chowning of the user's
> >> credentials file as well as setting KRB5_CCNAME.
> A nit: credentials should never be chown'd, and renaming is also not a
> good idea.  They should be created *as* the user.  Otherwise, you can
> get into trouble with interactions with sticky bits, race conditions,
> quotas, permission mapping, or a number of other unix subtleties which
> all vanish when you just call creat() as the user who owns the
> tickets.
> Hopefully, it isn't an inherent property of PAM that you need to use
> chown.
> 		Marc

There is a desire to allow credentials to be forwarded after the
connection is established.  In this situation you really have no
choice but to tamper with the credentials cache as root.  

                  Jeffrey Altman * Sr.Software Designer
                 The Kermit Project * Columbia University
               612 West 115th St * New York, NY * 10025 * USA
     http://www.kermit-project.org/ * kermit-support@kermit-project.org

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []