June 2003
Intermediate to advanced
336 pages
8h 54m
English
Content preview from Linux Security CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
4.17. Using Kerberos with PAM for System-Wide Authentication
Problem
You want your existing MIT Kerberos-5 realm to be used pervasively in system authentication.
Solution
Run authconfig (as root) and turn on the option “Use Kerberos 5.” The needed parameters for realm, KDC, and Admin server should be prefilled automatically from /etc/krb5.conf.
Discussion
Turning on the Kerberos option in authconfig alters various PAM configuration files in /etc/pam.d to include Kerberos. In particular, it allows Kerberos in /etc/pam.d/system-auth , which controls the authentication behavior of most servers and programs that validate passwords under Red Hat.
# grep -l system-auth /etc/pam.d/*
/etc/pam.d/authconfig
/etc/pam.d/authconfig-gtk
/etc/pam.d/chfn
...dozens more lines...As a side effect, the general login process (e.g., via telnet, gdm/xdm, console, etc.) will automatically obtain Kerberos credentials on login, removing the need to run a separate kinit, as long as your Linux and Kerberos passwords are the same.
Warning
Avoid authconfig if you have a custom PAM configuration. authconfig overwrites PAM files unconditionally; you will lose your changes.
The configuration produced by authconfig still allows authentication via local Linux passwords as well (from /etc/passwd and /etc/shadow). By tailoring /etc/pam.d/system-auth , however, you can produce other behavior. Consider these two lines:
/etc/pam.d/system-auth: auth sufficient /lib/security/pam_unix.so likeauth nullok auth sufficient /lib/security/pam_krb5.so ...