[ Team LiB ] [ Team LiB ]

7.4 Mac OS X and the Login Window

The initial console login window presented to Mac OS X users is called, appropriately enough, the loginwindow. Unfortunately, loginwindows PAM support is incomplete. But luckily for Kerberos 5 users, Apple has provided special support in the loginwindow contained in Mac OS X 10.2 and above to provide users with Kerberos tickets when logging into their OS X system. The procedure for enabling Kerberos support in the Mac OS X loginwindow application is documented in the AppleCare document 107154, Mac OS X 10.2: How to Enable Kerberos Authentication for Login Window. Note that the method to enable this facility is subject to change in future OS X revisions. Just like PAM, there are two basic options available when enabling Kerberos login support in OS X. You can either require valid Kerberos credentials for successful local login, or simply acquire Kerberos tickets if the local password is the same as the Kerberos password. The Mac OS X Security and Authorization Services use the etcauthorization file, and this is the file that well use to enable Kerberos authentication in loginwindow. First, to require valid Kerberos credentials for login to the local system, Mac OS X can either require a valid host keytab or operate without a host keytab. Note that as we discussed in Chapter 6 , a host keytab is required to defend against man-in-the-middle attacks against the Kerberos system. Since Mac OS X does not include the kadmin utility, the best way to get a host key onto the Macintosh host is to create and extract the host key for the OS X host on the KDC and use Secure Shell installed by default on OS X to copy the key securely to the Mac. In order to require Kerberos credentials when a host keytab is present, search for the system.login.console key in the etcauthorization file and replace it with the following: keysystem.login.consolekey dict keyevalkey stringloginwindow_builtin:login,krb5auth:authenticate,loginwindow_builtin:su ccess string dict If, on the other hand, you still wish to require Kerberos credentials even though a valid keytab is not present, you can replace the system.login.console key with the following text: keysystem.login.consolekey dict keyevalkey stringloginwindow_builtin:login,krb5auth:authnoverify,loginwindow_builtin:su ccess string dict [ Team LiB ] [ Team LiB ]