Slashdot Mirror
Ask Slashdot: Kerberos and PAM?
mattdm writes in with
this query: "I'm trying to get PAM (on Red Hat
Linux 5.2) to work with Kerberos. Has anyone done this
succesfully? I'm using pam_krb4 from
this
URL. It works to authenticate people perfectly, but it
doesn't save a TGT or set the proper environment variables.
This is pretty important to getting Linux officially
supported at the university where I work, so any help
would be great." Update: 03/17 06:48 by C :The link posted above doesn't work,
but you can go here
to browse through their PAM files. Thanks to
tjrw for the link.
Update: 03/18 04:38 by C :The original link has now been fixed.
The Redhat-Athena 5.2 release here at MIT uses kerberos4 for its passwd stuff, but it might be MIT specific. I don't even know if people outside MIT have access to it. Here's a place to get started:
http://web.mit.edu/linux/www/
This page has some RPMS and SRPMS that will probably help you out
Looks like pam_krb4-981201.tar.gz would be a likely contender... t
This doesn't answer your question, but it seems like a good place to ask mine. I've been wondering for some time Kerberos, PAM, etc. all fit together, etc. Can anyone point me to some good introductory docs on the topic? Preferably several different sets, so I can get pieces from each. (HOWTO's were'nt particularly enlightening.)
TIA.
Is there any particular reason you *really* want to use PAM? The Kerberized login and ftpd that come with KTH kerberos ( http://www.pdc.kth.se/kth-krb/ ) all work fine with Linux, and you can get Kerberos IV patches for sshd at http://www.monkey.org/~dugsong/ssh-afs-kerberos.ht ml . There are some advantages to PAM since it should theoretically just "drop in" to most Linux distros now, but given that you generally want to install kerberized apps anyhow to get the encryption (and with K5, the TGT passing) capabilities of Kerberos, I've found that generally it's less hassle to just set the apps up and ignore PAM, especially given how piss-poor the PAM documentation is.
If you're rolling Kerberos out on a University-wide basis, you probably want to talk to the MIT Athena people and the the CMU administrators as they've already been through it.
Two likely problems:
1) Some applications are broken with respect to environment handling and don't call the pam_getenvlist/pam_getenv (and then setenv/putenv) to set up the environment variables that PAM exported.
2) pam configuration ordering and bad behavior by some modules.
I asked mattdm to provide more info, and I'll be happy to follow up here if people care
-D
(shadow@dementia.org, pam_krb4 author:-)
It would probably work better if it didn't have a spurious dot on the end, try...
http://www.dementia.org/~shadow/pam.html
This is in fact a bug in Red Hat 5.2's login. The problem is that login closes the PAM session before spawning the shell; pam_krb4 destroys your ticket cache at that point.
I reported it to Red Hat almost immediately upon RH5.2's release (it breaks pam_linux_afs as well, which is disastrous in CMU ECE's environment). They have fixed it, but didn't see any point in releasing an updated util-linux RPM.
You're probably better off getting util-linux and building it yourself anyway: RH5.2 ships with an ancient version.
-- brandon s. allbery, sysadmin @ cmu electrical & computer engineering "Think, youth, THINK!"
somehow a "." got at the end of the URL. Just erase it and everything should be sunshine and roses.
Citizens Against Plate Tectonics
I got Kerb5 to work through PAM on a RedHat 5.0 box last spring while I was still attending University. It worked quite nicely too; a correctly compiled ssh would simply forward my tickets to hosts to which I was connecting. Unfortunately, the machines belong to a project on which I no longer work, and the details of how I did it have vanished from my memory. But it is possible.
--Gus
An advantage to PAM is that one doesn't always want to use kerberos. In my own case, I got the Kerb5 PAM working on a pair of laptops. When they saw a network card, they would switch to using the kerberos module; otherwise they used the local accounts.
--Gus
Hey, this one is right up my alley:
I've got:
- ssh, xdm, and su fixed to pass environment variables (i.e. KRBTKFILE)
- a PAM module that supports Kerberos authentication in multiple cells (AFS is supported if you want it)
- KTH-KRB4 and Arla configured to work for logging in
I've got everything wrapped up in RedHat 5.2 compatible RPM files.
The unfortunate part? I don't have any of this up on the web. (I know, sorry- I'm putting the finishing touches on the PAM module)
Check:
http://www-personal.engin.umich.edu/~wingc
next week and I'll try and put some info up. Thanks!
Kereberos is also running on linux at CMU (Carnegie Mellon University for all you people who dont know :) the place where the Coda file system for linux is being developed ). So I do know that its possible to run it. However not sure how to do it. Dont know if this is of any help but at least thought should let you know.
This is a known problem. Check the RedHat Bugzilla bug report #201 for more information. Basicly, you need to upgrade util-linux.
you mentioned xdm logins so I'll stick a question of mine in here. When I log in via xdm my username doesnt show up in the output of {w,finger,who}. How come? Someone on irc suggested that this was the way it was supposed to be, that only people running a shell on the system where supposed to show up, is this true? If so, how can I list the users logged in via xdm?
Anyone have PAM working with K5? The MIT links were potentially useful, but I was wondering if anyone has actually done and documented this...
xdm just doesn't "do" that. type man utmp on a Linux system for the rationale behind this.
Now, xterm makes utmp entries, so if you have an xterm open you should show up in the list of users. (in finger)
You could always modify xdm to make a utmp entry, but you'd also have to find a place in the xdm source to remove the utmp entry when done.
I did this once. See my other post above.
--Gus
I've got it somewhat working - there was a solaris PAM kerb5 module out there. It needed to be fixed up a bit, but for the most part just worked.
I'm not sure if I ever really got it right though; - I've never really done a full kerb install on the machine - all I wanted was something that authenticated.
Anyway, the guy who originally wrote it is
Naomaru Itoi - I haven't had time to send him my changes yet, so if you have problems building it send me some mail...
-Erik (props to Gus as well - I got this working here after he did, so he was able to help me out as well)
Debian xdm does this. the entry is created in /etc/X11/xdm/Xstartup and removed in /etc/X11/xdm/Xreset. It uses sessreg
This is a bit OT but I've never been able to find an extended TACACS server which supported PAM. I use the Vikas version of xtacacsd, and when I asked him to consider adding PAM support he said, "Oh, yet *another* Unix security standard" and suggested I try another version. Basically, I need shadow support in TACACS. This was no problem under Slackware, but I get a "No such lib -lshadow" compile error under Red Hat (because this kind of security is done with PAM, if I am correct). I got around this by keeping a shadow passwd file for regular logins, and a non-shadow version for TACACS log-ins, but it's such a hassle. I'd really like to be able to have shadow support for TACACS under Red Hat Linux. Switching to RADIUS is not an option, unfortunately. Any ideas? I can be reached at 3srf@qlink.queensu.ca, or you can post your thoughts here. Thanks!
I'll have to check that out; though I think it would be more useful to have wtmp entries than utmp entries.
I put together a set of packages which deal with PAM and Kerberos V as well as several other useful things. Most of these packages can be downloaded by anyone, however Kerberos itself and ssh are export restricted, so you might be denied access. Sorry. Also, util-linux will need to be upgraded to a more recent version than Red Hat ships currently to actually work with these modules. The SSH on this page also has a lot of minor improvements for dealing with Kerberos and AFS.
Light Brigade
Select the "New Athena" link.
"especially given how piss-poor the PAM documentation is."
Yes. Quite so! For an important tool as that this is a blatant insult to users and all.
Have you searched for it in the newsgroups?
R Y=%2Btacacs+%2Blinux+%2Bpam&defaultOp=AND& LNG=ALL&ST=QS&svcclass=dnold&DBS=2
see e.g.
http://www.dejanews.com/[ST_rn=qs]/dnquery.xp?Q
(past archive)
http://www.pdc.kth.se/kth-krb/
thanks to nice fellows (mainly assar & joda) at PDC, KTH (Kungliga Tekniska Högskolan ~ Royal Institute of Technology), Stockholm, Sweden. It's said to be less buggy than the original dist. Includes information on PAM modules.
And thanks to another nice fellow (thn) there is a kerberosised telnet and ftp available for Windows *, if you happens to be using that OS.It is available at :
http://www.stacken.kth.se/~thn/ktelnet/
"Enjoy, and I will see you soon"
/Stefan
Agreed, if you're going to be using Kerberos IV you owe it to yourself to use KTH and not MIT or Cygnus. Now if only the KTH people would finish up Heimdal (their Kerberos 5 implementation)...
FWIW, if you want a really *good* telnet client that happens to do Kerberos IV as well, look at Niftytelnet. You should be able to get it somewhere off of http://andrew2.andrew.cmu.edu . It also has the best terminal emulation of any non-Unix telnet client that I've seen.
Yes, of *course* I checked on Dejanews (several times). But none of the suggestions have yet been helpful. That's why I posted to SlashDot. :p