On Wed, Sep 19, 2007 at 08:06:42PM +0100, Markus Moeller wrote: > Did you have a chance to look at the keytab verification problem I > mentioned some time ago ? Right now you need to have a host/fqdn entry to > verify the tickets, but this means the application needs to run as root > (Assuming verify_ap_req_nofail is set to true which I think should be the > default for pam anyway)
Solaris PAM requires that PAM functions be called with all [zone] privileges asserted. It's a very good simplifying assumption that PAM modules will need privilege, and PAM being pluggable, the framework and the application cannot know a priori which privileges a module might need. I would apply the same constraint to Linux-PAM. Applications like screen savers must either be part of the trusted base, and setuid or what-have-you, or they must be able to use a helper process to handle authentication. Nico -- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
