pam_krb5 pam_sm_authenticate question

From: Corey Smith (csmith_at_bonddesk.com)
Date: 11/11/05

  • Next message: Dmitry Grigorovich: "Race condition in Sudo's pathname validation, version <= 1.6.8p9"
    To: freebsd-security@freebsd.org
    Date: Fri, 11 Nov 2005 17:12:55 -0500
    
    

    First time poster so be kind :)

    I was looking at the pam_krb5.c code and noticed that for authentication
    to succeed getpwnam() has to succeed.

    Previously I had setup a web site using mod_auth_pam to authenticate
    against an active directory (AD) server using a pam config like:

    # auth
    auth required pam_krb5.so no_ccache no_warn

    # account
    account required pam_permit.so

    Using security/pam_krb5 this was OK. I didn't need to have AD users in
    my local /etc/passwd for authentication to be successful. This is not
    possible using FreeBSD's pam_krb5.so because of the getpwnam in the
    authentication function of pam_krb5.c.

    I'm not trying to build a bikeshed but shouldn't pam_sm_authenticate
    verify the password and pam_sm_acct_mgmt verify that the user has a
    local account?

    If this were the case then you could setup other services like ftp and
    such to use pam_krb5 for AD authentication.

    -Corey Smith
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Dmitry Grigorovich: "Race condition in Sudo's pathname validation, version <= 1.6.8p9"

    Relevant Pages

    • Re: authenticating username/password against Active Directory
      ... from Microsoft is to use SSPI to verify the credentials. ... SSPI under the hood and gives you a real logon token back that you can then ... The other way to do this is with LDAP using an LDAP bind to AD. ... are doing pure authentication, I'd suggest using S.DS.Protocols, as it has ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: Sparc Solaris NIS client Linux NIS server
      ... >> I'll check over the nsswitch.conf and verify that its right. ... >> insecurities with NIS. ... If "shadow" passwords are enabled properly, ... once I get the authentication working I will ...
      (comp.os.linux.setup)
    • Re: Tacacs and OpenSSH
      ... The problem is, TACACS is an authentication protocol, not ... the user information needs to be able to be looked up at anytime. ... You must need a local account even though the authentication is ...
      (SSH)
    • Re: Windows Update v5 issues and workaround
      ... > it works for my secureNAT clients but not Web proxy clients. ... the Internet while forcing Authentication for everything else,..it would be ... done the same for any similar situation, not just Windows Update. ... You have to verify that you created all the Rules exactly as the article ...
      (microsoft.public.isa.clients)
    • Re: Windows Update v5 issues and workaround
      ... > it works for my secureNAT clients but not Web proxy clients. ... the Internet while forcing Authentication for everything else,..it would be ... done the same for any similar situation, not just Windows Update. ... You have to verify that you created all the Rules exactly as the article ...
      (microsoft.public.isa)