Find the answer to your Linux question:
Results 1 to 8 of 8
Hi all! I'm currently in the process of upgrading my home security to using Kerberos. It was previously done with NIS, but now I've mangled the passwords in the NIS ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578

    Kerberos PAM issue


    Hi all!
    I'm currently in the process of upgrading my home security to using Kerberos. It was previously done with NIS, but now I've mangled the passwords in the NIS maps.
    I'm having a slight problem, though, which I'm not sure how to solve in a nice way. I want to have PAM support for both pam_unix and pam_krb5, so that root can log in with his locally stored password in case the network goes down for any reason. And here's the problem: account management. Here's what I have now in my PAM config regarding account management:
    Code:
    account sufficient pam_unix.so
    account sufficient pam_krb5.so
    account required pam_deny.so
    As you can see, that lets a user through if he has either a valid UNIX account OR a valid Kerberos account, and naturally that's not what I want. I want the account to be invalid if the Kerberos account is explicitly invalid, but the UNIX account to be checked if the user doesn't have a Kerberos principal (is with root). So what I'd like is something like this:
    Code:
    account ultimate pam_krb5.so ignore_nonexistant
    account required pam_unix.so
    The ignore_nonexistant option would imply that the pam_krb5 module should return PAM_IGNORE if the user doesn't have a Kerberos principal. The control flag ultimate would imply that the stack returns immediately with the result returned by pam_krb5 as long as it is not PAM_IGNORE.

    However, as far as I know, neither 'ultimate' nor 'ignore_nonexistant' exist. Does anyone know of a way to work around this, or do I have to rewrite both my PAM and pam_krb5?

  2. #2
    Linux Engineer
    Join Date
    Jan 2003
    Location
    Lebanon, pa
    Posts
    994
    I don't see a problem with how that works. If you have a user with a unix account that you don't want them to login, why not just userdel? With the way you want to do it, wouldn't that return PAM_IGNORE everytime you try to login with root?

  3. #3
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    The thing is that I want to manage the accounting through Kerberos, ie. account expiration, password aging, and so on. I don't want to userdel someone just to temporarily disable their account.
    Yes, it would return PAM_IGNORE everytime I try to log in as root, and that's the purpose. Since root doesn't have a Kerberos account, I want it to fall back on UNIX accounting for him.
    As it is now, I would have to synchronize Kerberos and UNIX accountings for it to be effective, and that's not very appealing to me.

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Engineer
    Join Date
    Jan 2003
    Location
    Lebanon, pa
    Posts
    994
    I did a little bit of searching and found this pam module option for krb5. Try ignore_unknown_upn. That should return PAM_IGNORE if PAM_USER has no account. Somthing like this should work:

    auth required pam_krb5.so ignore_unknown_upn
    auth sufficient pam_unix.so use_first_pass

  6. #5
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    Strange... When I search for ignore_unknown_upn on google, it finds a lot on it, but it's not supported by my version, and not the latest version available from rpmfind.net, and it doesn't seem to be supported even by the latest CVS version on the linux-pam project on sourceforge.
    Thank you very much for the pointer, though. I'll continue to search for it.

  7. #6
    Linux Engineer
    Join Date
    Apr 2003
    Location
    Sweden
    Posts
    796
    Did you find any solution on this Dolda?? i´m also in the steps of trying out kerberos on an enterprise solution..

    Regards
    Regards

    Andutt

  8. #7
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    Sorry, not yet. I guess the worst outcome is that I'll have to add support for it myself, though. I checked the source for pam_krb5, and it seems really clean, so it wouldn't be hard.

  9. #8
    Linux Engineer
    Join Date
    Apr 2003
    Location
    Sweden
    Posts
    796
    OK, keep me posted on your progress..

    Ha en bra sommar!! on english Have a good summer!!

    Regards
    Regards

    Andutt

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •