[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: gssapi, sasl, pam interaction



* Adrian Worthington (adiw@adiw.net) wrote:
> but, there have been posts which discourage the use of pam_krb5 due to
> way any remote services will send an unencrypted password across the
> network, making the usage of kerberos pointless (accepted the way to
> solve this is not to use those type of login services, ie telnet
> etc.).

Using pam_krb5 for remote services is discouraged and bad *regardless*
of the service.  Even with ssh it's discouraged, with good reason.  In
the Kerberos design the user's password is *never* seen by the server,
or even the specific client program for that matter.  What is encouraged
is to get Kerberized client and server programs.  You can do this for
ssh with 3.7 (though it has other issues right now, I'd wait till it
calms down) or 3.6 with Simon's GSSAPI patches.  telnet and a number of
other programs already have Kerberized versions readily available.
There is work being done on apache/mozilla/IE Kerberos integration, etc,
etc.  For LDAP you can use SASL which has a GSSAPI capability.

> yes thanks, i guess for now the best way is just to setup login via pam
> using ldap as the account and session,  and kerberos as the auth, mixing
> and matching pam_krb5 and pam_ldap.

The *best* way is to not use pam_krb5 except for local logins, it
shouldn't be necessary.

	Stephen

Attachment: pgpXoxsU7cSq1.pgp
Description: PGP signature