[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: gssapi, sasl, pam interaction



Howard Chu [hyc@symas.com] wrote:
|> > -----Original Message-----
|> > From: owner-openldap-software@OpenLDAP.org
|> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Adrian
|> Worthington
|> 
|> > 	the final piece of the puzzle i am trying to solve is to login
|> > securely using this setup. there have been posts on this list stating
|> > that pam_krb5 is a bad solution for the pam login service, as for
|> > services such as telnet the password is sent in plain text across the
|> > network, defeating the purpose of using kerberos. therefore the only
|> > secure method is to use pam_ldap, and force an ssl connection between
|> > the client and server.
|> 
|> Not quite.... The problem is that telnet uses plaintext, so *any* PAM
|> mechanism used here will have its password exposed over the network. The
|> solution isn't to change the pam mechanism, the solution is to not use
|> plaintext telnet. E.g., use kerberized telnet instead, or use ssh. Since
|> you're using kerberos already I think using kerberized telnet makes the most
|> sense, for this example.

yes, i'm fine with this. i use ssh anyway i was just make a point. i
agree that using any solution that requires a plaintext password to be
sent across the network is a bad idea.

|> 
|> > so far so good, another point raised is unless
|> > authentication is only possible against the ldap server and the
|> > passwords are held in kerberos there is no need to use the
|> > userPassword
|> > attribute with the {kerberos}XXXXXXX mechanism, which forces the ldap
|> > server to retrieve the password from the kerberos server.
|> 
|> Right.

ok so i'm clear here.

|> 
|> > 	  what i can't figure out is how to hold directory information
|> > in the ldap server, the password in kerberos and setup pam_ldap to use
|> > the password given to the login process to aquire a ticket from the
|> > kerberos server, and have ldap/sasl-gssapi use the identity
|> > based on the
|> > kerberos authentication to retrieve all the neccessary
|> > account and user
|> > information from the ldap server (shell, user, uidnumber etc.).
|> 
|> That's not the idea.

now i'm stumped again, i see that you (symas) provide kerberos and ldap
binaries as part of the solution you provide, so you have buy in with both
technologies, what is the recommended way of setting up ldap in your
opinion to authorize and authenticate users - do you recommend only
using pam_ldap and storing the password as a {SSHA}XXX type password in
the directory, and if so where does the kerberos part fit in.

sorry for so many questions, i'm just trying to round out my
understanding.

thanks for your help

-- 
adi

Attachment: pgpqhhvl5kfFk.pgp
Description: PGP signature