Kerberos 5 PAM module

rcorder · 2007-10-19 06:39:51

I've uploaded a PKGBUILD for pam-krb5 3.6

http://aur.archlinux.org/packages.php?d … s=0&SeB=nd

Allows pluggable authentication via PAM against a KDC.

later.
ryanc

AlecTavi · 2007-10-22 19:14:18

Thanks for the addition! I was planning on adding one for that version of pam_krb5 myself, but you saved me the trouble.

I do notice, however, that the dependency lists only Heimdal as a possible Kerberos implementation. Does Archlinux not have MIT Kerberos anywhere? I can't find any package/PKGBUILD, but I'm still learning Arch (converting from years of Gentoo). Does anyone know the state of MIT kerberos on Arch? I'd prefer to use it for this sort of thing.

rcorder · 2007-10-22 20:21:39

I too am switching over from the world of Gentoo. At my previous job, I managed a lot of about 30 Gentoo boxes and 10 OpenBSD boxes.

Heimdal is the Kerberos distribution of choice in Arch Linux, unless you make a package for mit-krb5 your own, you'll have to use Heimdal as it is officially part of Arch Linux in the 'extra' repo. Personally, I like Heimdal better -- it's smaller, supports newer ciphers, but isn't as common therefore is an afterthought by some authors implementing Kerberos support in their software. So, the easiest way is to get it in via PAM since most programs that need auth support PAM on Linux. Also, it is the default Kerberos implementation for most of the BSDs, so it integrates easier for me between Linux and BSD.

You'll notice that the version in the package isn't the latest available. 3.6 is the latest I can get to compile with Heimdal where as 3.8 has been released. Remeber the part about Heimdal being an afterthought? Seems the new PKINIT support in versions > 3.6 doesn't quite work with Heimdal although the author claims it does.

I hope the package works well for you. If you need some example configs just let me know.

Oh, and be sure to vote for it in AUR so we can get it into the 'community' repo!

thanks.
ryanc

AlecTavi · 2007-10-22 20:35:50

How funny, OpenBSD was the only other major contender for my newest home server...

Anyway, it's good to know I didn't miss the MIT distribution somewhere. I'm happy using Heimdal myself. After using it on OpenBSD, MIT seems too convoluted. I only planned on using it because most Linux distributions heavily favor it. Hurray for Heimdal!

I'll take a look at the 3.8 build. I've done a bunch of PAM development in the past (writing a few custom modules from scratch), so I might be able to hack it into something usable. Really though, there aren't any major feature improvements between 3.6 and 3.8, so I don't think anyone will miss out. When 3.9 is released, however, it will definitely be worth getting it working. There are a few significant bug fixes in there.

rcorder · 2007-10-22 21:17:56

seems the problem is in auth.c, related to the recently added PKINIT support. I haven't done anything with PAM before, so I didn't really fell up for diving in at the moment

let me know if you work up a patch. the author seems fairly willing to accept help with the Heimdal side of things as he doesn't have a Heimdal installation to test against, I think.

Arch Linux

#1 2007-10-19 06:39:51

Kerberos 5 PAM module

#2 2007-10-22 19:14:18

Re: Kerberos 5 PAM module

#3 2007-10-22 20:21:39

Re: Kerberos 5 PAM module

#4 2007-10-22 20:35:50

Re: Kerberos 5 PAM module

#5 2007-10-22 21:17:56

Re: Kerberos 5 PAM module

Board footer