Mailing List Archive

On Sep 16 17:33, Andras.Horvath@cern.ch wrote:
> I'm wondering if anyone has a patch to use Kerberos5 tokens for
> authentication between the client and the server?
>
> I can use the appropriate passwords (via PAM) but it would be much
> easier for my users to directly use the tokens they have already.

Here is my most recent patch with works with libgssapi and libgssglue.

I would love to get this patch upstream.

Nate

> Here is my most recent patch with works with libgssapi and libgssglue.

Works for me, thank you!

Note: authentication info has to be in username@REALM.DOMAIN format
instead of just 'username' for krb5 to work. This prevents users from
falling back to password authentication if they don't have a token (PAM
will come back with 'username' only). :-/ Perhaps a default realm could
be supplied somehow? I'm no gssapi expert :-/

> I would love to get this patch upstream.

I second that.
I've started tracking my (packaging-only) changes in git..

Andras
_______________________________________________
users mailing list
users@conserver.com
https://www.conserver.com/mailman/listinfo/users

On Thu, Sep 17, 2009 at 03:03:04PM +0200, Andras.Horvath@cern.ch wrote:
>
> Note: authentication info has to be in username@REALM.DOMAIN format
> instead of just 'username' for krb5 to work. This prevents users from
> falling back to password authentication if they don't have a token (PAM
> will come back with 'username' only). :-/ Perhaps a default realm could
> be supplied somehow? I'm no gssapi expert :-/

Ahm, well, attached is a hack that, if logging in with a given username
fails, retries login with any '@REALM' parts stripped off.
(The whole patch only makes sense together with Nate's GSSAPI patch.)

This serves me right for Kerberos and should be backwards compatible
unless you use both 'bozouser' and 'bozouser@bozo.com' as usernames and
they're two different people.

Disclaimer: I'm not an experienced C programmer -- please feel free to
criticize and/or fix.

Andras