Kerberos

Tillman Hodgson tillman at seekingfire.com
Mon May 9 09:24:26 PDT 2005


On Mon, May 09, 2005 at 08:53:21AM -0700, Damian Sobieralski wrote:
> > PAM does not map well to Kerberos, unfortunately. Generally speaking
> > you want to avoid PAM with Kerberos if you can possibly use native
> > Kerberos
> > :-)
> 
>  It seems my ignorance is kicking in here- how would they log into the
> machine first, to issue "kinit"/native if I don't use PAM to get them
> INTO the machine? 

Using Kerberos-native login binaries, for example. Once logged in,
connecting to other hosts is done using Kerberos-native applications
like telnet -x, SSH with GSSAPI, etc. A well-written PAM module can also
work here, but generally should be avoided for network services.

The problem is that PAM basically assumes a username/password pair.
Kerberos doesn't give you that with network services.

>  I just modified the /etc/pam.d/sshd file (only using kerberos for
> sshd):

Look into the GSSAPI options for /etc/ssh/ssh_config instead. Newer
OpenSSH versions support Kerberos natively and don't need PAM hacks.

-T


-- 
Laws to suppress tend to strengthen what they would prohibit.  This is the fine 
point on which all the legal professions of history have based their job 
security.
	- Bene Gesserit Coda


More information about the freebsd-questions mailing list