PAM/Kerberos requiring local accounts

Tobias Schaefer T.Schaefer at science-computing.de
Wed May 5 11:17:27 UTC 2004 

Hi Jeff,

> I guess though that I'm not really understsanding why it's necessary.  For
> the setup that I need this for, I'm completely uninterested as to their
> account details, UIDs, GIDs, etc.  I want to know only one thing:  according
> to the Kerberos servers, is this a correct username and password
> combination?  The user isn't doing anything local to the box, so they don't
> even need a UID...and indeed, the function that calls the PAM authentication
> with the module I'm using (called pam_auth() ) only returns one thing:  true
> or false.

the authentication of Kerberos isn't really connected to UNIX. But the
credentials are stored on the local machine. In case of MIT Kerberos this
is a file on disk that the local user owns. And there is the need for
UID-Information.

The storing of your TGT is a side effect of the kerberos PAM. The generic
PAM mechanism doesn't know anything about that.

You could probably change the module to your needs if you are really sure
that you don't need the ticket(s) after the initial authentication. I
don't know enough of your application to assume anything about this.

> Kerberos, I keep getting told, is for authentication only...which is exactly
> why I want it.  How weird then that I can't simply specify in my pam.d that
> I *want* authentication and authentication only...

In principle you are right. But kerberos is not just about password
authentication. The PAM module does password authentication. But it
cannot assume how the application makes use of the TGT that it gets in the
process.

Normally you provide the password once on login and do kerberos
authentication without involving the PAM to several services in the period
of validity of your ticket without ever providing the password again. It
is an implementation issue how the necessary information is stored.


Tobias
-- 

  Tobias Schaefer				Phone	07071-9457-406
  science + computing ag			FAX	07071-9457-411
  Hagellocher Weg 71-75
  D-72070 Tuebingen     Email: T.Schaefer at science-computing.de
        WWW:  http://www.science-computing.de/

More information about the Pam-list mailing list