Date: Fri, 11 Nov 2005 17:12:55 -0500 From: Corey Smith <csmith@bonddesk.com> To: freebsd-security@freebsd.org Subject: pam_krb5 pam_sm_authenticate question Message-ID: <1131747175.23925.225.camel@localhost>
next in thread | raw e-mail | index | archive | help
First time poster so be kind :) I was looking at the pam_krb5.c code and noticed that for authentication to succeed getpwnam() has to succeed. Previously I had setup a web site using mod_auth_pam to authenticate against an active directory (AD) server using a pam config like: # auth auth required pam_krb5.so no_ccache no_warn # account account required pam_permit.so Using security/pam_krb5 this was OK. I didn't need to have AD users in my local /etc/passwd for authentication to be successful. This is not possible using FreeBSD's pam_krb5.so because of the getpwnam in the authentication function of pam_krb5.c. I'm not trying to build a bikeshed but shouldn't pam_sm_authenticate verify the password and pam_sm_acct_mgmt verify that the user has a local account? If this were the case then you could setup other services like ftp and such to use pam_krb5 for AD authentication. -Corey Smith
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1131747175.23925.225.camel>