From owner-freebsd-security@FreeBSD.ORG Fri Nov 11 22:12:58 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A776316A41F for ; Fri, 11 Nov 2005 22:12:58 +0000 (GMT) (envelope-from csmith@bonddesk.com) Received: from msmisps01.bonddesk.com (msmisps01.bonddesk.com [12.47.70.99]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3B38B43D46 for ; Fri, 11 Nov 2005 22:12:58 +0000 (GMT) (envelope-from csmith@bonddesk.com) Received: from mimail.bdg.local ([10.132.16.100]) by chmail.bdg.local with Microsoft SMTPSVC(6.0.3790.1830); Fri, 11 Nov 2005 17:12:56 -0500 Received: from 10.133.16.35 ([10.133.16.35]) by mimail.bdg.local ([10.132.16.100]) with Microsoft Exchange Server HTTP-DAV ; Fri, 11 Nov 2005 22:12:55 +0000 Received: from csmith-dt.bdg.local by mimail.bonddesk.com; 11 Nov 2005 17:12:55 -0500 From: Corey Smith To: freebsd-security@freebsd.org Content-Type: text/plain Content-Transfer-Encoding: 7bit Date: Fri, 11 Nov 2005 17:12:55 -0500 Message-Id: <1131747175.23925.225.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.2.3 FreeBSD GNOME Team Port X-OriginalArrivalTime: 11 Nov 2005 22:12:56.0604 (UTC) FILETIME=[119D4DC0:01C5E70D] Subject: pam_krb5 pam_sm_authenticate question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Nov 2005 22:12:58 -0000 First time poster so be kind :) I was looking at the pam_krb5.c code and noticed that for authentication to succeed getpwnam() has to succeed. Previously I had setup a web site using mod_auth_pam to authenticate against an active directory (AD) server using a pam config like: # auth auth required pam_krb5.so no_ccache no_warn # account account required pam_permit.so Using security/pam_krb5 this was OK. I didn't need to have AD users in my local /etc/passwd for authentication to be successful. This is not possible using FreeBSD's pam_krb5.so because of the getpwnam in the authentication function of pam_krb5.c. I'm not trying to build a bikeshed but shouldn't pam_sm_authenticate verify the password and pam_sm_acct_mgmt verify that the user has a local account? If this were the case then you could setup other services like ftp and such to use pam_krb5 for AD authentication. -Corey Smith