% pam-krb5-slides.tex -- Slides for tutorial on Kerberos and PAM. % $Id: pam-krb5-slides.tex 2953 2007-05-02 00:20:02Z eagle $ % % Written by Russ Allbery \documentclass[landscape,semhelv]{seminar} \usepackage{url} \usepackage{hyperref} \newpagestyle{mypagestyle}% {Stanford University \hfil \thedate \hfil \thepage}% {\hfil Russ Allbery (rra@stanford.edu) \hfil} \pagestyle{mypagestyle} \begin{document} \begin{slide} \begin{center} {\large Kerberos and PAM} \vspace{1in} Russ Allbery \\ May 1, 2007 \end{center} \end{slide} \begin{slide} \section*{Contents} \begin{itemize} \item What is PAM? \item The PAM Groups \item PAM for Login \item PAM for Screen Savers \item Kerberos PAM Modules \item Linux PAM Examples \item Solaris PAM Example \item Special Configurations \end{itemize} \end{slide} \begin{slide} \section*{What is PAM?} \begin{itemize} \item Pluggable Authentication Modules \item Abstracts the user authentication and session setup process \item Only does authentication and simple authorization \item Developed originally on Solaris \item Enhanced but mostly compatible version on Linux \item Now used by many UNIXes, but implementation varies \end{itemize} \end{slide} \begin{slide} \section*{The PAM Groups} \begin{itemize} \item PAM divides the login process into groups \begin{itemize} \item auth: Prompts for and verifies password \item account: Simple authorization decisions (only for login) \item session: Prepares for an interactive session \item password: Handles authentication token changes \end{itemize} \item setcred, the odd step-child \item setcred vs. open\_session: who knows? who cares? \end{itemize} \end{slide} \begin{slide} \section*{PAM for Login} \begin{itemize} \item auth group prompts for password, does basic authentication \begin{itemize} \item Store the credentials in a separate temporary cache \item Don't chown credential cache until setcred \end{itemize} \item account group does basic authorization \item setcred stores credentials and adds supplemental groups \item session group creates a login session \item When the user logs out, session group closes the login session \end{itemize} \end{slide} \begin{slide} \section*{PAM for Screen Savers} \begin{itemize} \item auth group prompts for password, does basic authentication \item account group could do authorization, but frequently ignored \item setcred to refresh credentials (REINITIALIZE/REFRESH) \item session group not called \item Bad screen savers don't call setcred and thereby lose \end{itemize} \end{slide} \begin{slide} \section*{Kerberos PAM Modules} \begin{itemize} \item Sourceforge pam\_krb5 \item Red Hat pam\_krb5 \item My pam-krb5, based on Frank Cusack's module \item Solaris native pam\_krb5 \end{itemize} \end{slide} \begin{slide} \section*{PAM Configuration} \begin{itemize} \item Debian: /etc/pam.d/common-* \item Red Hat: /etc/pam.d/system-auth \item Solaris: /etc/pam.conf \item Whether to use a Kerberos PAM module for password changes \end{itemize} \end{slide} \begin{slide} \section*{Linux PAM Example} \footnotesize \begin{verbatim} auth sufficient pam_krb5.so auth required pam_unix.so try_first_pass account required pam_krb5.so account required pam_unix.so session optional pam_krb5.so session required pam_unix.so password sufficient pam_krb5.so minimum_uid=1000 password required pam_unix.so obscure min=6 md5 \end{verbatim} \end{slide} \begin{slide} \section*{Solaris PAM Example} \footnotesize \begin{verbatim} login auth sufficient /usr/local/lib/security/pam_krb5.so minimum_uid=100 login auth required /usr/lib/security/pam_unix_auth.so.1 use_first_pass login account required /usr/local/lib/security/pam_krb5.so minimum_uid=100 login account required /usr/lib/security/pam_unix_account.so.1 login session required /usr/local/lib/security/pam_krb5.so retain_after_close minimum_uid=100 login session required /usr/lib/security/pam_unix_session.so.1 \end{verbatim} (no wrapping) \end{slide} \begin{slide} \section*{Special Configuration} \begin{itemize} \item minimum\_uid or ignore\_root \item MIT Kerberos needs master\_kdc setting for password expiry \item SSH and ticket cache initialization \item SSH and ChallengeResponseAuthentication \item search\_k5login and shared role accounts \item PKINIT \item AFS --- see talk on Friday \end{itemize} \end{slide} \end{document}