It allows user logins for user not known to the local host. In our case we
want to use Kerberos as a kind of central and secure storage for user
passwords. The user is able to authenticate via pam_krb5, but will gain
host access for another identity / role.
The manual page of Fedora pam_krb5 and the option no_user_check:
no_user_check
tells pam_krb5.so to not check if a user exists on the
local
system, to skip authorization checks using the user?s
.k5login
file, and to create ccache files owned by the current
process?s
UID. This is useful for situations where a
non-privileged
server process needs to use Kerberized services on
behalf of
remote users who may not have local access. Note that such
a
server should have an encrypted connection with its
client in
order to avoid allowing the user?s password to be
eavesdropped.
Sonja
From:
Russ Allbery <[email protected]>
To:
Sonja Benz/Germany/IBM@IBMDE
Cc:
[email protected]
Date:
07/15/2011 09:50 PM
Subject:
Re: pam_krb5 for AIX
Sonja Benz <[email protected]> writes:
> That's great. We need a pam_krb5 which supports an option like
> "no_user_check". I guess, yours does not?
What does that option do?
--
Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
