Subject: Re: Centralized User and Password Management
To: Tillman Hodgson <tillman@seekingfire.com>
From: Dick Davies <rasputnik@hellooperator.net>
List: netbsd-users
Date: 11/24/2004 18:43:16
* Tillman Hodgson <tillman@seekingfire.com> [1144 16:44]:
> On Wed, Nov 24, 2004 at 04:16:13PM +0000, Dick Davies wrote:
> > > 
> > > Doing a quick check, ssh is now linked to libkrb5, but xdm is not.
> > > What do you use to start X?
> > 
> > What you could do is have xdm talk via pam to pam_krb5 , which should
> > go and get your ticket for you.
 
> Does NetBSD have PAM now? I was under the impression that it was still
> verboten. A quick check on my NetBSD 2.0G system doesn't find anything
> PAMish ...
 

Sorry, that wasn't clear. You'd need to compile your own xdm and ssh.
(but you'd need to do that to get krb5 support in xdm in any case).

NetBSD has security/PAM in pkgsrc. I use pam_ldap to hook pretty much 
everything into openldap for user/pass management  - but those are just
other things from pkgsrc (which has pretty good PAM support).

What it doesn't have is
* nss_ldap (though LukeM mentioned that's in the pipeline)
* PAM support in the base

so I don't bother with it for system users. 

> If NetBSD /did/ support PAM, that makes many Kerberos things much
> easier (although using "native" Kerberos services instead is vastly
> preferred).

Since most of the base has krb5 support, that's probably a better bet.
I shy away from it because too few client apps on other systems support it.

-- 
This must be Thursday. I never could get the hang of Thursdays. - Arthur Dent
Rasputin :: Jack of All Trades - Master of Nuns