From owner-freebsd-questions@FreeBSD.ORG Mon May 9 16:24:26 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6941216A4E8 for ; Mon, 9 May 2005 16:24:26 +0000 (GMT) Received: from mail.seekingfire.com (caliban.seekingfire.com [24.72.123.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id E4ABB43D60 for ; Mon, 9 May 2005 16:24:23 +0000 (GMT) (envelope-from tillman@seekingfire.com) Received: by mail.seekingfire.com (Postfix, from userid 500) id 2AE6D11E; Mon, 9 May 2005 10:24:23 -0600 (CST) Date: Mon, 9 May 2005 10:24:23 -0600 From: Tillman Hodgson To: freebsd-questions@freebsd.org Message-ID: <20050509162423.GP48310@seekingfire.com> References: <20050506040544.3DFFE16A4D3@hub.freebsd.org> <20050509155321.89400.qmail@web50408.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050509155321.89400.qmail@web50408.mail.yahoo.com> X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . X-GPG-Key-ID: 828AFC7B X-GPG-Fingerprint: 5584 14BA C9EB 1524 0E68 F543 0F0A 7FBC 828A FC7B X-GPG-Key: http://www.seekingfire.com/personal/gpg_key.asc X-Urban-Legend: There is lots of hidden information in headers X-Tillman-rules: yes he does X-No-prize-winner: Nathanael User-Agent: Mutt/1.5.9i Subject: Re: Kerberos X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 May 2005 16:24:26 -0000 On Mon, May 09, 2005 at 08:53:21AM -0700, Damian Sobieralski wrote: > > PAM does not map well to Kerberos, unfortunately. Generally speaking > > you want to avoid PAM with Kerberos if you can possibly use native > > Kerberos > > :-) > > It seems my ignorance is kicking in here- how would they log into the > machine first, to issue "kinit"/native if I don't use PAM to get them > INTO the machine? Using Kerberos-native login binaries, for example. Once logged in, connecting to other hosts is done using Kerberos-native applications like telnet -x, SSH with GSSAPI, etc. A well-written PAM module can also work here, but generally should be avoided for network services. The problem is that PAM basically assumes a username/password pair. Kerberos doesn't give you that with network services. > I just modified the /etc/pam.d/sshd file (only using kerberos for > sshd): Look into the GSSAPI options for /etc/ssh/ssh_config instead. Newer OpenSSH versions support Kerberos natively and don't need PAM hacks. -T -- Laws to suppress tend to strengthen what they would prohibit. This is the fine point on which all the legal professions of history have based their job security. - Bene Gesserit Coda