aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDiego Elio 'Flameeyes' Pettenò <flameeyes@gmail.com>2010-07-23 15:59:44 +0200
committerDiego Elio 'Flameeyes' Pettenò <flameeyes@gmail.com>2010-07-23 15:59:44 +0200
commit736f9b9f43c2468dd0cb5c5343cb8969d5492a4d (patch)
tree74950657d26fb7e78b254ca64e1acbbd69cca32d /basic-conf
parentImprove handling of services and the session chain. (diff)
downloadpambase-736f9b9f43c2468dd0cb5c5343cb8969d5492a4d.tar.gz
pambase-736f9b9f43c2468dd0cb5c5343cb8969d5492a4d.tar.bz2
pambase-736f9b9f43c2468dd0cb5c5343cb8969d5492a4d.zip
Add support for pam_krb5 module for Kerberos authentication.
This implements drop-in support for Kerberos (pam_krb5) in Gentoo systems; if the kerberos USE flag has been enabled, it'll use pam_krb5 for login, ignoring pam_unix, but no other module in the chain. It requires Linux-PAM.
Diffstat (limited to 'basic-conf')
-rw-r--r--basic-conf32
1 files changed, 29 insertions, 3 deletions
diff --git a/basic-conf b/basic-conf
index 902ff8d..e40a2f6 100644
--- a/basic-conf
+++ b/basic-conf
@@ -1,9 +1,19 @@
// Only use_authtok (authentication token) when using cracklib or some other module
-// that checks for passwords.
+// that checks for passwords, or pam_krb5
+#define AUTHTOK use_authtok
+
#if HAVE_CRACKLIB || HAVE_PASSWDQC
-# define AUTHTOK use_authtok
+# define PASSWORD_STRENGTH 1
+#endif
+
+#if HAVE_KRB5 && PASSWORD_STRENGTH
+# define KRB5_AUTHTOK AUTHTOK
+#endif
+
+#if HAVE_KRB5 || PASSWORD_STRENGTH
+# define UNIX_AUTHTOK AUTHTOK
#else
-# define AUTHTOK
+# define UNIX_AUTHTOK AUTHTOK
#endif
// Define DEBUG to an empty string unless it was required by the user
@@ -18,3 +28,19 @@
#ifndef LIKEAUTH
#define LIKEAUTH
#endif
+
+#define KRB5_PARAMS DEBUG ignore_root try_first_pass
+
+/* By using the extended Linux-PAM syntax for this, it is possible to
+ fine-tune the Kerberos handling so that it works out of hte box on
+ most desktop systems.
+
+ What this control operation does is ignore failures and errors from
+ Kerberos (falling back on local pam_unix auth), but if it's good,
+ it'll skip over the following module (pam_unix) with an accepted
+ status.
+
+ IMPORTANT! Make sure that the only thing that comes right after
+ pam_krb5 with KRB5_CONTROL is pam_unix!
+ */
+#define KRB5_CONTROL [success=1 default=ignore]