Kerberos
Tillman Hodgson
tillman at seekingfire.com
Mon May 9 09:24:26 PDT 2005
On Mon, May 09, 2005 at 08:53:21AM -0700, Damian Sobieralski wrote:
> > PAM does not map well to Kerberos, unfortunately. Generally speaking
> > you want to avoid PAM with Kerberos if you can possibly use native
> > Kerberos
> > :-)
>
> It seems my ignorance is kicking in here- how would they log into the
> machine first, to issue "kinit"/native if I don't use PAM to get them
> INTO the machine?
Using Kerberos-native login binaries, for example. Once logged in,
connecting to other hosts is done using Kerberos-native applications
like telnet -x, SSH with GSSAPI, etc. A well-written PAM module can also
work here, but generally should be avoided for network services.
The problem is that PAM basically assumes a username/password pair.
Kerberos doesn't give you that with network services.
> I just modified the /etc/pam.d/sshd file (only using kerberos for
> sshd):
Look into the GSSAPI options for /etc/ssh/ssh_config instead. Newer
OpenSSH versions support Kerberos natively and don't need PAM hacks.
-T
--
Laws to suppress tend to strengthen what they would prohibit. This is the fine
point on which all the legal professions of history have based their job
security.
- Bene Gesserit Coda
More information about the freebsd-questions
mailing list