[28442] in Kerberos

home help back first fref pref prev next nref lref last post

Re: pam-krb5 3.6 released

daemon@ATHENA.MIT.EDU (Nicolas Williams)
Wed Sep 19 17:57:37 2007

Date: Wed, 19 Sep 2007 16:57:15 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Markus Moeller <huaraz@moeller.plus.com>
Message-ID: <20070919215715.GW5159@Sun.COM>
Mail-Followup-To: Markus Moeller <huaraz@moeller.plus.com>,
	kerberos@mit.edu
Mime-Version: 1.0
Content-Disposition: inline
In-Reply-To: <fcrs1m$mic$1@sea.gmane.org>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

On Wed, Sep 19, 2007 at 08:06:42PM +0100, Markus Moeller wrote:
>  Did you have a chance to look at the keytab verification problem I 
> mentioned some time ago ?  Right now you need to have a host/fqdn entry to 
> verify the tickets, but this means the application needs to run as root 
> (Assuming verify_ap_req_nofail is set to true which I think should be the 
> default for pam anyway)

Solaris PAM requires that PAM functions be called with all [zone]
privileges asserted.  It's a very good simplifying assumption that PAM
modules will need privilege, and PAM being pluggable, the framework and
the application cannot know a priori which privileges a module might
need.  I would apply the same constraint to Linux-PAM.

Applications like screen savers must either be part of the trusted base,
and setuid or what-have-you, or they must be able to use a helper
process to handle authentication.

Nico
-- 
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post