Kerberos 5 PAM module

I've uploaded a PKGBUILD for pam-krb5 3.6
http://aur.archlinux.org/packages.php?d … s=0&SeB=nd
Allows pluggable authentication via PAM against a KDC.
later.
ryanc

I too am switching over from the world of Gentoo.  At my previous job, I managed a lot of about 30 Gentoo boxes and 10 OpenBSD boxes.
Heimdal is the Kerberos distribution of choice in Arch Linux, unless you make a package for mit-krb5 your own, you'll have to use Heimdal as it is officially part of Arch Linux in the 'extra' repo.  Personally, I like Heimdal better -- it's smaller, supports newer ciphers, but isn't as common therefore is an afterthought by some authors implementing Kerberos support in their software.  So, the easiest way is to get it in via PAM since most programs that need auth support PAM on Linux.  Also, it is the default Kerberos implementation for most of the BSDs, so it integrates easier for me between Linux and BSD.
You'll notice that the version in the package isn't the latest available.  3.6 is the latest I can get to compile with Heimdal where as 3.8 has been released.  Remeber the part about Heimdal being an afterthought?  Seems the new PKINIT support in versions > 3.6 doesn't quite work with Heimdal although the author claims it does.
I hope the package works well for you.  If you need some example configs just let me know.
Oh, and be sure to vote for it in AUR so we can get it into the 'community' repo!
thanks.
ryanc

Similar Messages

  • Kerberos PAM Help!

    Hi All-
    I'm hoping some of you Sun Kerberos gurus can tell me if my problem can be resolved... Basically I have my test Solaris 10 system set up to authenticate, via PAM, in 3 ways.
    First it checks if you have a local account and then let's you in if so.
    Second it checks to see if you have a Kerberos account and if so authenticates you using Kerberos (getting a ticket) and uses LDAP account information.
    Third, if you have no Kerberos account, it checks your LDAP password and if correct let's you in using your LDAP account info.
    Basically I can get things working but the Kerberos PAM module is VERY chatty! If I log in with my LDAP password, pam_krb5 always tells me "Kerberos authentication failed" during dtlogin or ssh login, and then let's me in. But it's very annoying, and will confuse my users.
    Example: (logging in using LDAP password):
    % ssh weiler@testhost
    weiler@testhost's password:
    Kerberos authentication failed
    Last login: Fri Jun 30 08:33:26 2006 from banshee.cse.ucs
    You have mail.
    testhost:/home/weiler%
    And if I use my Kerberos password it gives me no errors and logs me in. With dtlogin, a pop-up window actually pops up saying the same thing, "Kerberos Authentication Failed" and you have to click the "OK" button and then it logs you in.
    I guess my question is: Is there any way to tell Kerberos to be quiet? I don't care if Kerberos authentication fails when people are logging in using LDAP credentials, I just don't want it to keep telling me it failed every time. the "nowarn" flag used with pam_krb5.so.1 in pam.conf doesn't seem to help....
    Here's my /etc/pam.conf if it will help:
    login auth requisite pam_authtok_get.so.1
    login auth required pam_unix_cred.so.1
    login auth sufficient pam_unix_auth.so.1
    login auth sufficient pam_krb5.so.1
    login auth sufficient pam_ldap.so.1
    dtsession auth sufficient pam_unix_auth.so.1
    dtsession auth sufficient pam_krb5.so.1
    dtsession auth sufficient pam_ldap.so.1
    # rlogin service (explicit because of pam_rhost_auth)
    rlogin auth sufficient pam_rhosts_auth.so.1
    rlogin auth requisite pam_authtok_get.so.1
    rlogin auth required pam_dhkeys.so.1
    rlogin auth required pam_unix_cred.so.1
    rlogin auth required pam_unix_auth.so.1
    # Kerberized rlogin service
    krlogin auth required pam_unix_cred.so.1
    krlogin auth binding pam_krb5.so.1
    krlogin auth required pam_unix_auth.so.1
    # rsh service (explicit because of pam_rhost_auth,
    # and pam_unix_auth for meaningful pam_setcred)
    rsh auth sufficient pam_rhosts_auth.so.1
    rsh auth required pam_unix_cred.so.1
    # Kerberized rsh service
    krsh auth required pam_unix_cred.so.1
    krsh auth binding pam_krb5.so.1
    krsh auth required pam_unix_auth.so.1
    # Kerberized telnet service
    ktelnet auth required pam_unix_cred.so.1
    ktelnet auth binding pam_krb5.so.1
    ktelnet auth required pam_unix_auth.so.1
    # PPP service (explicit because of pam_dial_auth)
    ppp auth requisite pam_authtok_get.so.1
    ppp auth required pam_dhkeys.so.1
    ppp auth required pam_unix_cred.so.1
    ppp auth required pam_unix_auth.so.1
    ppp auth required pam_dial_auth.so.1
    # Default definitions for Authentication management
    # Used when service name is not explicitly mentioned for authentication
    other auth requisite pam_authtok_get.so.1
    other auth required pam_unix_cred.so.1
    other auth sufficient pam_unix_auth.so.1
    other auth sufficient pam_krb5.so.1 nowarn
    other auth sufficient pam_ldap.so.1
    # passwd command (explicit because of a different authentication module)
    passwd auth sufficient pam_passwd_auth.so.1
    passwd auth sufficient pam_ldap.so.1
    # cron service (explicit because of non-usage of pam_roles.so.1)
    cron account required pam_unix_account.so.1
    # Default definition for Account management
    # Used when service name is not explicitly mentioned for account management
    passwd account sufficient pam_unix_account.so.1
    passwd account sufficient pam_ldap.so.1
    other account sufficient pam_unix_account.so.1
    other account sufficient pam_ldap.so.1
    other account sufficient pam_krb5.so.1 nowarn
    # Default definition for Session management
    # Used when service name is not explicitly mentioned for session management
    other session sufficient pam_unix_session.so.1
    other session sufficient pam_ldap.so.1
    other session sufficient pam_krb5.so.1 nowarn
    # Default definition for Password management
    # Used when service name is not explicitly mentioned for password management
    other password requisite pam_authtok_get.so.1
    other password requisite pam_authtok_check.so.1
    other password required pam_authtok_store.so.1
    Thanks a million in advance for any insight!
    ciao, erich

    It turns out that in Solaris 8, the Kerberos installed does not support TCP. By default Kerberos tickets are issued by the KDC via UDP until the packet size reaches a maximum. Once the max is exceeded, the KDC switches to TCP.
    Since Solaris 8 Kerberos doesn't support TCP, you get an error executing kinit:
    kinit: KRB5 error code 52 while getting initial credentials
    So to mitigate, I'm looking at incorporating a version of Kerberos that does support switching to TCP (v1.4.1 or greater I believe).

  • How to use custom PAM module to unlock screen ?

    Hi,
    I actually use a custom PAM module for authentificate my users. This is working like a charm with sudo.
    I wanted to add it with the login screen, the one that everyone use. I added my config in /etc/pam.d/authorization and everything is working. When I get a box prompting for a password, the plugin is activated. As excepted.
    But my problem is that the plugin is not activated when my mac get the unlock screen after being on sleep. You know, the one where your screenpaper is shown and your image. How to do so?
    Many thanks.
    Regards,
    Andy Pilate

    Here is how I did it in my app:
    <jbo:ApplicationModule id="am" configname="TestAMLocal" releasemode="Stateful" />
    <jbo:DataSource id="ds" appid="am" viewobject="TestView" rangesize="3"/>
    <%
    TestAM am2 = (TestAM) TestAM.useApplicationModule();
    am2.TestClient();
    %>
    Hope this helps.

  • Authenticating Host SPN using Kerberos Login module

    Hi,
    I have written an application that needs to support Java GSS based context establishment using Java's Kerberos Login module with the clients.This application is hosted in Tomcat and I have a limitation that tomcat is running as "LocalSystem" account on the host machine(Not to confuse with Administrator account on the host machine) so it is not having password.
    On the AD to which this host is connected has SPN registered for this host machine like any other computer account. But my doubt is how will I authenticate my application(Using Kerberos Login module) using that Host SPN if I do not have any password for the "LocalSystem". I am giving user name as "HOST/<machine-name", or "<machine-name>" but it fails at the application side saying no encryption key found. If I try to give some random password I get error message from AD saying that Pre Authentication failed.
    Without authentication my application to AD I am not able to get the Kerberos Key which is required for context establishment for GSS.
    Any help in this regard will be really helpful.
    Thanks.

    Thanks for your response!
    My application is just an authentication module in a bigger application which is not under my control. This application is hosted on Apache Tomcat and provide both the options to run as "LocalSystem" account and domain account. So I have to provide support for both the options.
    I am getting increasingly convinced that Java Kerberos module can't handle the authentication for "LocalSystem" account and I need to opt for some Windows Native Apis for that. If that is the case Can someone tell me how can i proceed for that. I have no idea which Windows apis to use for it.
    Thanks.
    Edited by: Java-Dev-01 on Mar 14, 2010 6:03 AM

  • Create a PAM module in java

    I am wondering if it is possible to create a PAM module in java, as opposed to C/C++.
    If yes, how would I get started?

    java integrates already the PAM concept (which seems comes from sun laboratories and integrated firstly in solaris, i'm right?) in java through the JAAS api.
    JAAS is already integrated in java since java 1.4.
    so, the PAM concept (pluggable authenticable module) is mapped to the javax.security.auth.spi.LoginModule interface.
    so, to add a PAM to your java application, you should provide a LoginModule implementation.
    hope it helps,
    Charles(jGuard team).

  • How to Disable the kerberos auth module

    Hi,
    Can someone please tell me what are the steps to Disable the kerberos auth module . I have OID<=>AD synchronized and WNA enabled. I want to disable the kerberos and do some testing and then enable it back. Is there a documentation which I can refer. I am on OracleAS Portal 10.1.2.0.0. Thanks

    While Portal is the front end UI most users see for the Oracle Identity management environment, WNA and Kerberos support is really a function of the SSO<>OID environment (Portal gets it for free as part of SSO). As such, I'm going to have to punt this across to them (as they would have the most up to date information).
    Can I suggest posting this question on the Identity Management Forum Identity Manager
    In the mean time we, in Portal land, will look into the issue as well.

  • Does a Kerberos authentication module exist?

    Does anyone know of a Kerberos authentication module for Portal Server? If not, can anyone think of any security implications that would suggest "rolling my own" would not be a good idea?

    No we don't have any kerberos auth module as a part of the product and you can develop your own using the auth api's.

  • Uid and password sync / PAM module

    When syncing unix box authentication with the ldap or using pam modules, should I be concerned about reserving certain uid's in the ldap to prevent collisions with system management account uid's like root or administrator? Should I set up bogus entries for these uid's so others can't acquire them? It doesnt affect the DS because its' admin entries are not in the user's database. But a unix box set up to authenticate against an ldap and a person logs into that box as root? I would think unix boxes would use ldap for just for users, and not su authentication. I am missing something here.

    in /etc/nsswitch.conf in passwd line you will define file and ldap. What it actually does - when someone logs in it check with local files /etc/passwd and /etc/shadow first. And , if not found will check with the ldap. But in any case - it is a good idea to make sure there is no root user name in ldap.

  • Kerberos Login Module

    Hi,
    I´m trying to configure SPNegoLoginModule for Kerberos Authentication using EP6 with EP SP15 according:
    http://help.sap.com/saphelp_nw04/helpdata/en/43/4e80824d155f86e10000000a1553f6/frameset.htm
    I know that there is a tool provided by SAP called SPNego Config Test Web App. How I get this?
    The portal server must be a Domain Controller?
    Thanks,
    Daniel.

    Hello Tom Bo,
    Thanks for reply. I´m implemented SPNego login module on SPS15 but When I try to log on with Internet Explorer the portal returns the message " user authentication failed".
    I´ve set the folowwing parameters:
      com.sap.spnego.uid.resolution.mode = simple
      com.sap.spnego.uid.resolution.attr = uniquename
    I dont know what's gng wrong.
    Regards,
    Daniel.

  • How to retrieve ip address of the server running PAM inside its module?

    Hello all,
    I've configured Solaris 8 with a deal of ip aliases on the network interface.
    Also I've a handwritten PAM module to auth users. It have some specific functionality which is needed for me.
    For the moment, this module need to be updated. This update requires a knowledge of IP address the user connecting to.
    Is it possible to determine IP address (alias IP) of the machine inside PAM module the user connecting to?
    Thank you for your answers.
    Mikhail.

    > Can i access the ip address of the DB server through SQL or PL/SQL code?
    No. It is the wrong place to look.
    Reason: a sever can, and often has, multiple IP addresses.
    So when you run SQL or PL/SQL code (or a Java stored proc), that will likely report the 1st IP address of the server - and you could have connected via another IP address of that server.
    The actual socket call to get the hostname returns an array of IP addresses. So which one is the correct one? How do you know whether or not your client session connected to the 1st IP in this array?
    The correct place to look is at the socket handle for that Oracle session on the client. And determine to what IP address that socket is connected to.
    This is not that easy - I do not think that the OCI exposes the socket handle it creates. But you can use kernel calls to get a list of established TCP sessions and to what IP address they're connected to. The netstat command on Windows and Unix/Linux is an example of how this can be done.

  • Kerberos authentication with Apache Kerberos Module

    Hi,
    Using the Java GSS tutorials, I have been able to create code to successfully authenticate with our KDC server or from a local ticket cache.
    However, I have been unsuccessful in using the obtained credentials to perform client authentication with a web server running Apache using Kerberos for authentication (mod_kerberos).
    I have tried to use an SSLSocket to connect to the server, which works fine. To request a page that requires client side authentication, I have passed the necessary client headers, over the socket connection e.g.
    GET: http://www.myhost.com/protected_page.html
    HOST: www.myhost.com
    AUTHENTICATE: negotiate XXXXX
    However, I do not know what to put in place of XXXXX. Using some PHP code and Firefox, I have been able to observe what Firefox is passing to the web server to perform client side authentication. It is clearly passing a base64 encoded string, which is related to the cached Kerberos credentials.
    Can anyone tell me, how I can use Java and GSS to perform client side authentication with an Apache web server that is using the Kerberos authentication module? I know it is possible to do so using SPEGNO in a Windows environment, but this is a Linux/Unix environment, so it is not an option.
    Thanks for any help or advice,
    Neil.

    Here are your options:
    1) Configure Krb5LoginModule programmatically.
    If the environment variable KRB5CC_NAME points to the ticket cache location,
    (which is updated each time), you can configure the Krb5LoginModule
    programmatically and set the "ticketCache" option to the value obtained
    from KRB5CC_NAME.
    Refer to following docs for details:
    http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/LoginConfigFile.html
    http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html
    http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/AppConfigurationEntry.html
    2) Use native Kerberos from the platform
    Java SE 6 provides support for native GSS/Kerberos on Solaris/Linux platforms.
    NOTE: If native GSS/Kerberos on your platform does not have support for SPNEGO,
    you will not be able to use this option.
    For details refer to following docs:
    http://download.java.net/jdk6/docs/technotes/guides/security/jgss/jgss-features.html
    Seema

  • Kerberos integration with SecurID?

    Hi...
    Is it possible to integrate Kerberos with SecurID? Historically we have run a fairly open system and often user credentials are shared (private keys, etc). I doubt I can do much about this process wise, and any potential solution I can think of I can also think of a workaround for.
    Most of the guys have SecurID tags already and it would seem logical to be able to use this hard authentication to provide the first ticket, and to subsequently validate the connection as tickets expire.
    I have checked the RSA site and there only seems to be a PAM module available. I am also aware of a patch for OpenSSH, but is there anything I can do specifically with Kerberos?
    cheers

    Have you checked http://www.rsa.com/rsasecured/product.aspx?id=1738
    Thanks,
    Tim

  • Samba - pam authentication

    Hi Everybody,
    We are upgrading to samba-3.0.2a with SEAM kerberos and iPlanet Directory ldap server support. All the three servers runs in three different physical solaris machies. We are able to connect the samba and ldap. We are trying with security=user option in samba . For kerberos support, we thought of a solution of authentication via pam -pamkrb5 module. but samba fails for a pam authentication and it never contacts the kerberos server. actually we traced out the function calls which tries for authentication, which sends a pam handler with null passwords for authentication.
    pls refer source/auth/auth.c and source/auth/pampass.c which functions like smb_pam_accountcheck which pam_acctmgmt() sending a pamhandler pointer pamh.
    The samba code has pointer pamh referring to the sturucture called pam_handle_t . For the structure pam_handle_t , we found a type definition pam_handle in security/pam_appl.h . and no more information in pam_handle is available. Is the solaris pam modules lacks some files or our installation of solaris lacks some files?
    Any suggestions to proceed with pam authentication would be really helpful
    regards
    eccsamba

    I'm having similar problem. In my case, it appears to be configure issue within samba. I'm using
    configure --with-pam
    But when it 'checks' pam_modules.h, it fails because it lacks definitions found in pam_appl.h. It appears to check these files independently, when it should consider them together. I'm currently looking for a way to short-circuit the configure's concerns for pam_modules.h. Mark

  • Configuring Windows XP to use IIS w/ Kerberos

    I need to build a Windows XP SSO solution using IIS 5.1 with Integrated Windows Authentication using Kerberos protocol. IIS will then pass the request over to another application which will need to use a Kerberos JAAS module to authenticate the respective users to the application.
    Does anyone have any instructions or tips on accomplishing these set of tasks? I have very limited experience with Kerberos. Any help would be much appreciated.
    Note: I've gotten this to work using NTLM, so I would like to know the level of difficulty in making the switch over to Kerberos.
    Thanks a lot in advance!
    Message was edited by:
    YvesG

    Because in SAP Help on topics <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/44/0ebf6c9b2b0d1ae10000000a114a6b/content.htm">Single Sign-On with Microsoft Kerberos SSP</a> and
    <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/44/0ebf6c9b2b0d1ae10000000a114a6b/content.htm">Configuring the Application Server</a>, tell to copyt the gsskrb5.dll file(see SAP Note 595341), to the following directory on the central instance: Drive:\%windir%\system32.
    This text let me think that central instance is installed on a Windows Server, but on SAP Help docs I didn't found the specific information that the central instance must be installed on a Windows Server.

  • Stacking Problem in pam.conf on Solaris 10 ?

    Hi all,
    I have pam.conf with enteries for
    # Default definition for Password management
    # Used when service name is not explicitly mentioned for password management
    *other password required pam_dhkeys.so.1*
    *other password requisite pam_authtok_get.so.1*
    *other password requisite pam_authtok_check.so.1*
    *other password required pam_authtok_store.so.1*
    As per my understanding the
    (I) SPI pam_authtok_get.so.1 is used to get the user credentials from password DB.
    (II) SPI pam_authtok_check.so.1* is used to check if the new password supplied is satisfying the password policy on the OS ( by reading values from /etc/default/passwd )
    (III) SPI pam_authtok_store.so.1* is used to store the newly entered password to password db.
    Please correct me if I am wrong anywhere.
    Now I have a requirement thar an application has to be wriiten which will just check that the entered password satisfies the password policies of the OS or not, but it should not update the password DB(should not store the password)
    I make the following enteries in my pam.conf
    osPasswdCheck password required pam_dhkeys.so.1
    osPasswdCheck password requisite pam_authtok_get.so.1
    osPasswdCheck password requisite pam_authtok_check.so.1
    I removed the entry for pam_authtok_store.so.1 as I dont want to store the but when I run my application it always give error 20 authentication manipulation error.
    please refer (/usr/include/security/pam_appl.h)
    I have done all the formalities w.r.t writing a PAM Conversation funtion and the application is returning success when I add the pam_authtok_store.so.1 into the SPI
    Please anyone can help me out.Is there is anyother way with which I can use my application just to check password (w.r.t. OS policy) .
    I will be really thankful if anybody can provide me with working PAM Modules stack for achieving it.
    Thanks in advcance.
    Regards,
    Rahul.
    but I dont want to store it.

    Why not just keep the "pam_authtok_store.so.1" line in your pam.conf file and set it to a level of "requisite" or lower? I haven't tried it myself yet, but I've found that in the past when editing this file, completely removing a line rather than giving the PAM stack what it would expect to see with that line being there in some way can also cause problems.

Maybe you are looking for