blob: b871e0efe75cbaff289834fabe4ad09e445ac9da (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
Either MIT Kerberos (or Kerberos implementations based on it) or Heimdal
are supported. MIT Keberos 1.3 or later may be required; this module has
not been tested with earlier versions.
For PKINIT support, Heimdal 0.8rc1 or later or MIT Kerberos 1.6.3 or later
are required. Earlier MIT Kerberos 1.6 releases have a bug in their
handling of PKINIT options.
For FAST (Flexible Authentication Secure Tunneling) support, MIT Kerberos
1.7 or higher is required. For anonymous FAST support, anonymous
authentication (generally anonymous PKINIT) support is required in both
the Kerberos libraries and in the local KDC.
This module should work on Linux and Solaris (and build with gcc, clang,
or the Sun C compiler), but has been far more heavily tested on Linux.
There is beta-quality support for the AIX NAS Kerberos implementation.
Other PAM implementations will probably require some porting, although
untested build system support is present for FreeBSD, Mac OS X, and HP-UX.
I personally can only test on Linux and rely on others to report problems
on other operating systems.
Old versions of OpenSSH are known to call `pam_authenticate` followed by
`pam_setcred(PAM_REINITIALIZE_CRED)` without first calling
`pam_open_session`, thereby requesting that an existing ticket cache be
renewed (similar to what a screensaver would want) rather than requesting
a new ticket cache be created. Since this behavior is indistinguishable
at the PAM level from a screensaver, pam-krb5 when used with these old
versions of OpenSSH will refresh the ticket cache of the OpenSSH daemon
rather than setting up a new ticket cache for the user. The resulting
ticket cache will have the correct permissions (this is not a security
concern), but will not be named correctly or referenced in the user's
environment and will be overwritten by the next user login. The best
solution to this problem is to upgrade OpenSSH. I'm not sure exactly when
this problem was fixed, but at the very least OpenSSH 4.3 and later do not
exhibit it.
|
