[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: gssapi, sasl, pam interaction



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Adrian
Worthington

> 	  i have set up a kerberos realm, and an ldap server. with this
> setup i can get a ticket from the tgs, and using this identity
> authenticate against the ldap server. the sasl-regexp is setup
> correctly and ldapwhoami returns the correct user and
> information, using sasl authentication.

Great.

> 	the final piece of the puzzle i am trying to solve is to login
> securely using this setup. there have been posts on this list stating
> that pam_krb5 is a bad solution for the pam login service, as for
> services such as telnet the password is sent in plain text across the
> network, defeating the purpose of using kerberos. therefore the only
> secure method is to use pam_ldap, and force an ssl connection between
> the client and server.

Not quite.... The problem is that telnet uses plaintext, so *any* PAM
mechanism used here will have its password exposed over the network. The
solution isn't to change the pam mechanism, the solution is to not use
plaintext telnet. E.g., use kerberized telnet instead, or use ssh. Since
you're using kerberos already I think using kerberized telnet makes the most
sense, for this example.

> so far so good, another point raised is unless
> authentication is only possible against the ldap server and the
> passwords are held in kerberos there is no need to use the
> userPassword
> attribute with the {kerberos}XXXXXXX mechanism, which forces the ldap
> server to retrieve the password from the kerberos server.

Right.

> 	  what i can't figure out is how to hold directory information
> in the ldap server, the password in kerberos and setup pam_ldap to use
> the password given to the login process to aquire a ticket from the
> kerberos server, and have ldap/sasl-gssapi use the identity
> based on the
> kerberos authentication to retrieve all the neccessary
> account and user
> information from the ldap server (shell, user, uidnumber etc.).

That's not the idea.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support