pam_krb5 pam_sm_authenticate question
From: Corey Smith (csmith_at_bonddesk.com)
Date: 11/11/05
- Previous message: Lowell Gilbert: "Re: Security updates without rebooting"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: freebsd-security@freebsd.org Date: Fri, 11 Nov 2005 17:12:55 -0500
First time poster so be kind :)
I was looking at the pam_krb5.c code and noticed that for authentication
to succeed getpwnam() has to succeed.
Previously I had setup a web site using mod_auth_pam to authenticate
against an active directory (AD) server using a pam config like:
# auth
auth required pam_krb5.so no_ccache no_warn
# account
account required pam_permit.so
Using security/pam_krb5 this was OK. I didn't need to have AD users in
my local /etc/passwd for authentication to be successful. This is not
possible using FreeBSD's pam_krb5.so because of the getpwnam in the
authentication function of pam_krb5.c.
I'm not trying to build a bikeshed but shouldn't pam_sm_authenticate
verify the password and pam_sm_acct_mgmt verify that the user has a
local account?
If this were the case then you could setup other services like ftp and
such to use pam_krb5 for AD authentication.
-Corey Smith
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Lowell Gilbert: "Re: Security updates without rebooting"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
