Sonja Benz <sonja.b...@de.ibm.com> writes: > It allows user logins for user not known to the local host. In our case > we want to use Kerberos as a kind of central and secure storage for user > passwords. The user is able to authenticate via pam_krb5, but will gain > host access for another identity / role.
Thanks! If the user doesn't exist on the local system, most of the behavior of no_user_check is the default behavior for my pam-krb5 module. It only does authorization checks if the authenticating username exists as a local account on the system and assumes that, if it doesn't, either the intended use case is the one you describe or some other PAM module will notice that the account doesn't exist and do the appropriate thing. Note that pam_setcred will fail, however, for non-local accounts (since it generally doesn't make sense to write out a ticket cache for a non-local account). That's the one part of this option that I don't support currently. Do you need to have a ticket cache created on local disk for the user after authentication, or do you just need to verify authentication? -- Russ Allbery (r...@stanford.edu) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos