pam_krb5 pam_sm_authenticate question
Corey Smith
csmith at bonddesk.com
Fri Nov 11 14:12:58 PST 2005
First time poster so be kind :)
I was looking at the pam_krb5.c code and noticed that for authentication
to succeed getpwnam() has to succeed.
Previously I had setup a web site using mod_auth_pam to authenticate
against an active directory (AD) server using a pam config like:
# auth
auth required pam_krb5.so no_ccache no_warn
# account
account required pam_permit.so
Using security/pam_krb5 this was OK. I didn't need to have AD users in
my local /etc/passwd for authentication to be successful. This is not
possible using FreeBSD's pam_krb5.so because of the getpwnam in the
authentication function of pam_krb5.c.
I'm not trying to build a bikeshed but shouldn't pam_sm_authenticate
verify the password and pam_sm_acct_mgmt verify that the user has a
local account?
If this were the case then you could setup other services like ftp and
such to use pam_krb5 for AD authentication.
-Corey Smith
More information about the freebsd-security
mailing list