Date: Wed, 01 Aug 2007 21:06:17 -0700 From: "Jason C. Wells" <jcw@highperformance.net> To: freebsd general questions <freebsd-questions@freebsd.org> Subject: PAM, su, and ksu behavior Message-ID: <46B15839.1060604@highperformance.net>
next in thread | raw e-mail | index | archive | help
I would like for the su command to NOT prompt the user for any password when the user has a kerberos ticket. That is su should not prompt for a kerberos or unix passwd. PAM is unable to determine if a terminal is encrypted and so the system should not inspire the user to cough up a password. I simply added: auth sufficient pam_ksu.so no_warn to the second line in the default /etc/pam.d/su config file. It worked, but I would not expect to be prompted for a password when I already have a ticket. (Secure single sign on is the whole point, right?) What I desire is the behavior of the MIT ksu command. If the principal is listed in .k5login and has a valid ticket for the requesting principle, to be granted the shell as the new UID. Near as I can tell, the heimdal ksu command that comes with FreeBSD has nothing to do with PAM. Is that true? Don't assume that I understand PAM. I have been looking at this for all of a couple days. It seems dead simple. Maybe I just can't get the behavior I want. Thanks, Jason C. Wells
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46B15839.1060604>