[28446] in Kerberos
Re: pam-krb5 3.6 released
daemon@ATHENA.MIT.EDU (Sam Hartman)
Thu Sep 20 13:01:09 2007
From: Sam Hartman <hartmans@mit.edu>
To: Markus Moeller <huaraz@moeller.plus.com>
Date: Thu, 20 Sep 2007 13:00:42 -0400
In-Reply-To: <20070919215715.GW5159@Sun.COM> (Nicolas Williams's message of
"Wed, 19 Sep 2007 16:57:15 -0500")
Message-ID: <tsl1wctff0l.fsf@mit.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams@sun.com> writes:
Nicolas> On Wed, Sep 19, 2007 at 08:06:42PM +0100, Markus Moeller
Nicolas> wrote:
>> Did you have a chance to look at the keytab verification
>> problem I mentioned some time ago ? Right now you need to have
>> a host/fqdn entry to verify the tickets, but this means the
>> application needs to run as root (Assuming verify_ap_req_nofail
>> is set to true which I think should be the default for pam
>> anyway)
Nicolas> Solaris PAM requires that PAM functions be called with
Nicolas> all [zone] privileges asserted. It's a very good
Nicolas> simplifying assumption that PAM modules will need
Nicolas> privilege, and PAM being pluggable, the framework and the
Nicolas> application cannot know a priori which privileges a
Nicolas> module might need. I would apply the same constraint to
Nicolas> Linux-PAM.
Nicolas> Applications like screen savers must either be part of
Nicolas> the trusted base, and setuid or what-have-you, or they
Nicolas> must be able to use a helper process to handle
Nicolas> authentication.
We've been unab/unable to convince the Linux community of this.
Very very frustrating.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos