Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Linux Software

Ask Slashdot: Kerberos and PAM? 28

mattdm writes in with this query: "I'm trying to get PAM (on Red Hat Linux 5.2) to work with Kerberos. Has anyone done this succesfully? I'm using pam_krb4 from this URL. It works to authenticate people perfectly, but it doesn't save a TGT or set the proper environment variables. This is pretty important to getting Linux officially supported at the university where I work, so any help would be great." Update: 03/17 06:48 by C :The link posted above doesn't work, but you can go here to browse through their PAM files. Thanks to tjrw for the link. Update: 03/18 04:38 by C :The original link has now been fixed.
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Kerberos and PAM?

Comments Filter:
  • The Redhat-Athena 5.2 release here at MIT uses kerberos4 for its passwd stuff, but it might be MIT specific. I don't even know if people outside MIT have access to it. Here's a place to get started:

    http://web.mit.edu/linux/www/
  • Um, the URL you gave doesn't seem to work (at least for me). Doing a web search, I found a bunch of stuff at Dementia [dementia.org] including three releases of the pam_krb4 code.

    Looks like pam_krb4-981201.tar.gz would be a likely contender... t

  • Is there any particular reason you *really* want to use PAM? The Kerberized login and ftpd that come with KTH kerberos ( http://www.pdc.kth.se/kth-krb/ ) all work fine with Linux, and you can get Kerberos IV patches for sshd at http://www.monkey.org/~dugsong/ssh-afs-kerberos.ht ml . There are some advantages to PAM since it should theoretically just "drop in" to most Linux distros now, but given that you generally want to install kerberized apps anyhow to get the encryption (and with K5, the TGT passing) capabilities of Kerberos, I've found that generally it's less hassle to just set the apps up and ignore PAM, especially given how piss-poor the PAM documentation is.
    If you're rolling Kerberos out on a University-wide basis, you probably want to talk to the MIT Athena people and the the CMU administrators as they've already been through it.
  • This is in fact a bug in Red Hat 5.2's login. The problem is that login closes the PAM session before spawning the shell; pam_krb4 destroys your ticket cache at that point.

    I reported it to Red Hat almost immediately upon RH5.2's release (it breaks pam_linux_afs as well, which is disastrous in CMU ECE's environment). They have fixed it, but didn't see any point in releasing an updated util-linux RPM.

    You're probably better off getting util-linux and building it yourself anyway: RH5.2 ships with an ancient version.
  • somehow a "." got at the end of the URL. Just erase it and everything should be sunshine and roses.
  • I got Kerb5 to work through PAM on a RedHat 5.0 box last spring while I was still attending University. It worked quite nicely too; a correctly compiled ssh would simply forward my tickets to hosts to which I was connecting. Unfortunately, the machines belong to a project on which I no longer work, and the details of how I did it have vanished from my memory. But it is possible.
  • An advantage to PAM is that one doesn't always want to use kerberos. In my own case, I got the Kerb5 PAM working on a pair of laptops. When they saw a network card, they would switch to using the kerberos module; otherwise they used the local accounts.
  • by Anonymous Coward
    Hey, this one is right up my alley:

    I've got:

    - ssh, xdm, and su fixed to pass environment variables (i.e. KRBTKFILE)
    - a PAM module that supports Kerberos authentication in multiple cells (AFS is supported if you want it)
    - KTH-KRB4 and Arla configured to work for logging in

    I've got everything wrapped up in RedHat 5.2 compatible RPM files.
    The unfortunate part? I don't have any of this up on the web. (I know, sorry- I'm putting the finishing touches on the PAM module)

    Check:

    http://www-personal.engin.umich.edu/~wingc

    next week and I'll try and put some info up. Thanks!
  • Kereberos is also running on linux at CMU [cmu.edu] (Carnegie Mellon University for all you people who dont know :) the place where the Coda file system for linux is being developed ). So I do know that its possible to run it. However not sure how to do it. Dont know if this is of any help but at least thought should let you know.
  • This is a known problem. Check the RedHat Bugzilla bug report #201 [redhat.com] for more information. Basicly, you need to upgrade util-linux.
  • Anyone have PAM working with K5? The MIT links were potentially useful, but I was wondering if anyone has actually done and documented this...
  • I did this once. See my other post above.
  • I've got it somewhat working - there was a solaris PAM kerb5 module out there. It needed to be fixed up a bit, but for the most part just worked.

    I'm not sure if I ever really got it right though; - I've never really done a full kerb install on the machine - all I wanted was something that authenticated.

    Anyway, the guy who originally wrote it is
    Naomaru Itoi - I haven't had time to send him my changes yet, so if you have problems building it send me some mail...

    -Erik (props to Gus as well - I got this working here after he did, so he was able to help me out as well)
  • by Bishop ( 4500 )

    Debian xdm does this. the entry is created in /etc/X11/xdm/Xstartup and removed in /etc/X11/xdm/Xreset. It uses sessreg

  • This is a bit OT but I've never been able to find an extended TACACS server which supported PAM. I use the Vikas version of xtacacsd, and when I asked him to consider adding PAM support he said, "Oh, yet *another* Unix security standard" and suggested I try another version. Basically, I need shadow support in TACACS. This was no problem under Slackware, but I get a "No such lib -lshadow" compile error under Red Hat (because this kind of security is done with PAM, if I am correct). I got around this by keeping a shadow passwd file for regular logins, and a non-shadow version for TACACS log-ins, but it's such a hassle. I'd really like to be able to have shadow support for TACACS under Red Hat Linux. Switching to RADIUS is not an option, unfortunately. Any ideas? I can be reached at 3srf@qlink.queensu.ca, or you can post your thoughts here. Thanks!
  • Posted by gbritton:

    I put together a set of packages which deal with PAM and Kerberos V as well as several other useful things. Most of these packages can be downloaded by anyone, however Kerberos itself and ssh are export restricted, so you might be denied access. Sorry. Also, util-linux will need to be upgraded to a more recent version than Red Hat ships currently to actually work with these modules. The SSH on this page also has a lot of minor improvements for dealing with Kerberos and AFS.

    Light Brigade [mit.edu]

    Select the "New Athena" link.

  • A severaly hacked version for the rest of the world (thank you, Gov. of USA) is KTH-KRB (only KRB4 though).It is available from:
    http://www.pdc.kth.se/kth-krb/
    thanks to nice fellows (mainly assar & joda) at PDC, KTH (Kungliga Tekniska Högskolan ~ Royal Institute of Technology), Stockholm, Sweden. It's said to be less buggy than the original dist. Includes information on PAM modules.

    And thanks to another nice fellow (thn) there is a kerberosised telnet and ftp available for Windows *, if you happens to be using that OS.It is available at :
    http://www.stacken.kth.se/~thn/ktelnet/

    "Enjoy, and I will see you soon"
    /Stefan

  • Agreed, if you're going to be using Kerberos IV you owe it to yourself to use KTH and not MIT or Cygnus. Now if only the KTH people would finish up Heimdal (their Kerberos 5 implementation)...

    FWIW, if you want a really *good* telnet client that happens to do Kerberos IV as well, look at Niftytelnet. You should be able to get it somewhere off of http://andrew2.andrew.cmu.edu . It also has the best terminal emulation of any non-Unix telnet client that I've seen.
  • Yes, of *course* I checked on Dejanews (several times). But none of the suggestions have yet been helpful. That's why I posted to SlashDot. :p

I THINK THEY SHOULD CONTINUE the policy of not giving a Nobel Prize for paneling. -- Jack Handley, The New Mexican, 1988.

Working...