Date: Mon, 9 May 2005 10:24:23 -0600 From: Tillman Hodgson <tillman@seekingfire.com> To: freebsd-questions@freebsd.org Subject: Re: Kerberos Message-ID: <20050509162423.GP48310@seekingfire.com> In-Reply-To: <20050509155321.89400.qmail@web50408.mail.yahoo.com> References: <20050506040544.3DFFE16A4D3@hub.freebsd.org> <20050509155321.89400.qmail@web50408.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, May 09, 2005 at 08:53:21AM -0700, Damian Sobieralski wrote: > > PAM does not map well to Kerberos, unfortunately. Generally speaking > > you want to avoid PAM with Kerberos if you can possibly use native > > Kerberos > > :-) > > It seems my ignorance is kicking in here- how would they log into the > machine first, to issue "kinit"/native if I don't use PAM to get them > INTO the machine? Using Kerberos-native login binaries, for example. Once logged in, connecting to other hosts is done using Kerberos-native applications like telnet -x, SSH with GSSAPI, etc. A well-written PAM module can also work here, but generally should be avoided for network services. The problem is that PAM basically assumes a username/password pair. Kerberos doesn't give you that with network services. > I just modified the /etc/pam.d/sshd file (only using kerberos for > sshd): Look into the GSSAPI options for /etc/ssh/ssh_config instead. Newer OpenSSH versions support Kerberos natively and don't need PAM hacks. -T -- Laws to suppress tend to strengthen what they would prohibit. This is the fine point on which all the legal professions of history have based their job security. - Bene Gesserit Coda
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050509162423.GP48310>