[ Team LiB ] [ Team LiB ]

7.3 Transparent Kerberos Login with PAM

When a user logs into his workstation at the beginning of the day, we want that user to acquire a Kerberos Ticket Granting Ticket when he enters his credentials. Well call this transparent Kerberos login. Windows 2000, XP, and 2003 automatically acquire tickets upon login when the user is part of a Windows domain. However, for other systems, we have to configure this step manually. In Unix, the simplest and most portable way to get initial credentials for a user upon login is through the Pluggable Authentication Modules PAM, which is available on most operating systems. Using PAM, you can acquire Kerberos tickets for logins that occur on the systems console and any other network-based protocol, but we want to avoid sending passwords over the network. Historically, applications such as the console login program and the X Windows System login program xdm all had to be modified to support new authentication methods. This introduces a maintenance and security nightmare, as locally-maintained patches must be made to system software to enable authentication methods other than the standard Unix password file. Worse yet, if the operating system comes without source, you may not even be able to replace the program with one that performs the necessary authentication method. PAM solves this problem by providing a standard plug-in interface that both application developers and authentication method developers can write to. A mapping file is created that maps applications authentication requests to the appropriate authentication methods, so that authentication modules can be added and removed on the fly, without recompiling the application. Linux, FreeBSD, Solaris, and HP-UX all include PAM support, and more operating systems are adding support. However, PAM is not a panacea. It only supports traditional username and password authentication, so PAM works best when authenticating local ie., on the console login requests. Network-based services should use native Kerberos authentication to take advantage of the single-sign-on capabilities of Kerberos and to avoid sending plain text passwords across the network. PAM cannot provide native Kerberos authentication through the Kerberos ticket exchange. In addition, PAM implementations differ slightly from vendor to vendor, so PAM modules that may work on one vendors OS may not work on another vendors OS. The differences are usually small enough that they can be easily worked around, but it is something to be aware of when using PAM. More Information About PAM The following Unix operating system vendors have web sites that describe their support of the PAM framework: • • HP-UX: http:www.hp.comproducts1unixoperatingsecurity • [ Team LiB ] [ Team LiB ]