[14605] in Kerberos
Re: canonical kerberos pam module for solaris 2.7 ?
daemon@ATHENA.MIT.EDU (Martin Schulz)
Wed Jun 27 11:41:08 2001
To: Nicolas Williams <Nicolas.Williams@ubsw.com>
Cc: kerberos@MIT.EDU
Content-Type: text/plain; charset=US-ASCII
From: Martin Schulz <schulz@iwrmm.math.uni-karlsruhe.de>
Date: 27 Jun 2001 17:38:11 +0200
In-Reply-To: Nicolas Williams's message of "Wed, 27 Jun 2001 10:22:30 -0400"
Message-ID: <m3n16ugcgs.fsf@iwr15.mathematik.uni-karlsruhe.de>
MIME-Version: 1.0
Nicolas Williams <Nicolas.Williams@ubsw.com> writes:
> On Wed, Jun 27, 2001 at 02:28:42PM +0200, Martin Schulz wrote:
> > Nicolas Williams <Nicolas.Williams@ubsw.com> writes:
> >
> > > PAM_KRB5 is one very re-invented wheel!
> >
> > Yes it seems so. Thats why I asked for the "canonical way".
> >
> > I now have chosen to use the same module I already use on my linux
> > boxes, the pam_krb5afs. It was not so easy to get it compiling and
> > work (installing flex, lots of library issues, libkrbafs.so and so
> > on.)
>
> Is this the RedHat module?
Yes, indeed. I pulled the source out of the srpm and made it compile
on solaris.
> There's been some discussion (on the Linux-PAM list) about the need for
> a module that can support AFS with krb5. I think the most desirable
> approach would be to have a pam_afs which uses a [temporary] ccache
> created by pam_krb5 to do its thing.
Redhat's module comes in two flavours (out of the same source file),
if you don't need, afs, just take pam_krb5, if you to, take
pam_krb5afs.
There is a program called aklog (by Ken Hornstein) that obtains an afs
token based on a kerberos 5 ticket. There is a pam-aklog module that
provides the calls to that aklog and the corresponding unlog program.
AFAIK, the redhat pam_krb5afs module does not use that aklog program,
instead, it uses some other krb4 libraries.
Yours,
--
Martin Schulz schulz@iwrmm.math.uni-karlsruhe.de
Uni Karlsruhe, Institut f. wissenschaftliches Rechnen u. math. Modellbildung
Engesser Str. 6, 76128 Karlsruhe
