[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAM and Kerberos



telnetd does know the filename but it does not know which user the
file should be owned by.

> 
> Could telnetd create the cache file and keep it open, thus obviating the
> need for it to know its future file name? Or perhaps an open Unix socket
> that PAM_KRB5 could use to communicate back to telnetd.
> 
> If this can be done strictly through PAM and specifying some
> requirements for /bin/login, then a /bin/login that behaves like Solaris
> 2.6's (or later) would do fine, provided there's a suitable PAM_KRB5...
> 
> Another alternative is to suck /bin/login into telnetd. But if this
> problem can be solved between telnetd and PAM, then there's no need to
> replace a vendor's /bin/login, provided that /bin/login does the Right
> Things (tm) with PAM.
> 
> Nico
> 
> 
> On Tue, Aug 15, 2000 at 11:51:29AM -0400, Jeffrey Altman wrote:
> > > I had no idea that telnetd could do this.
> > 
> > The current one does not, but I am working on one that does (with Ken
> > Raeburn).
> > 
> > > This presents a problem though, doesn't it? If /bin/login does all the
> > > work, then how can telnetd find what name was ultimately given to the
> > > credentials cache file, or even if login succeed at all?
> > 
> > Bingo.  You have hit the nail on the head.  Right now the way things
> > work is that telnetd creates the credential cache file and passes its
> > name as an environment variable.  /bin/login (the customized version) 
> > changes the ownership of the credential cache file before it executes
> > the user's shell.
> > 
> > So /bin/login is not doing all of the work.  Just part of it.  telnetd
> > is very well aware of the name of the cache file.  It just needs to
> > switch to the user's account, update the file, and switch back to
> > 'root'.  The problem is that telnetd does not necessarily know the
> > account the user is logged into.  This can be the case when the user
> > authenticates but does not specify a username to use for login; or if
> > the username specified is not authorized for the provided credentials.
> > 
> > 
> > 
> >                   Jeffrey Altman * Sr.Software Designer
> >                  The Kermit Project * Columbia University
> >                612 West 115th St * New York, NY * 10025 * USA
> >      http://www.kermit-project.org/ * kermit-support@kermit-project.org
> > 
> --
> 



                  Jeffrey Altman * Sr.Software Designer
                 The Kermit Project * Columbia University
               612 West 115th St * New York, NY * 10025 * USA
     http://www.kermit-project.org/ * kermit-support@kermit-project.org






[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []