[14601] in Kerberos
Re: canonical kerberos pam module for solaris 2.7 ?
daemon@ATHENA.MIT.EDU (David Thompson)
Wed Jun 27 10:57:16 2001
Message-Id: <200106271455.JAA08486@pongo.cs.wisc.edu>
To: Martin Schulz <schulz@iwrmm.math.uni-karlsruhe.de>, kerberos@MIT.EDU
In-Reply-To: Message from Nicolas Williams <Nicolas.Williams@ubsw.com>
of "Wed, 27 Jun 2001 10:22:30 EDT." <20010627102226.C9416@sm2p1386swk.wdr.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Wed, 27 Jun 2001 09:55:08 -0500
From: David Thompson <thomas@cs.wisc.edu>
Nicolas Williams wrote:
>
>There's been some discussion (on the Linux-PAM list) about the need for
>a module that can support AFS with krb5. I think the most desirable
>approach would be to have a pam_afs which uses a [temporary] ccache
>created by pam_krb5 to do its thing.
>
It's been on my list for some time to write two modules, one to do the krb5
authentication (or perhaps use an existing krb5 pam module), and a separate
afs module which would use the krb5 credentials if available, otherwise do a
direct authentication against the kaserver.
We're using a combined module currently. It works, but I think it would be
cleaner and more proper to break it up. Among other things, it would allow us
to only authenticate against one mechanism if one was all we needed. We do
have some krb5-only and some afs-only services that we support. Not having to
SETPAG on the krb5-only services, and not having to gen the krb5 ticket cache
(_and_ clean it up later) on the afs-only services would be very nice.
--
Dave Thompson <thomas@cs.wisc.edu>
Associate Researcher Department of Computer Science
University of Wisconsin-Madison http://www.cs.wisc.edu/~thomas
1210 West Dayton Street Phone: (608)-262-1017
Madison, WI 53706-1685 Fax: (608)-262-6626
--
