sftp/Kerberos

Randy McMurchy randy at linuxfromscratch.org
Wed Aug 1 23:29:40 PDT 2007


Alexander E. Patrakov wrote these words on 08/01/07 23:00 CST:

> Very interesting. Could you please paste the output of the following 
> commands from one of them (assuming that the user "randy" is in Kerberos):
> 
> getent passwd randy
> id randy
> strace id randy

Please allow me to do some additional research on stand-alone Kerberos
installations. At this point I believe I'm wrong with the statements
I made earlier as I was going on memory and all my installations
combine LDAP/Kerberos/PAM/nss_db to eliminate the /etc/passwd file.
After thinking about it, and studying your comment, I now think that
a stand-alone Kerberos installation *does* use /etc/passwd for the
Glibc 'getent' and 'id' functions. My bad, and sorry for the
confusion.

My experience is in creating a Kerberos environment that does *not*
rely on /etc/passwd, as it uses the nss_db Glibc function to do take
care of things (which fetches LDAP information instead of /etc/passwd
information). See my incomplete (and not really worthwhile, nor fully
functional) hint about this subject at
http://www.mcmurchy.com/lfs/ldap-nameservice.txt

I never finished this hint due to an inherent flaw with nss_db. I
now think that is why Ulrich dropped nss-db years ago from the Glibc
base package. I'll discuss this further if anyone is interested. The
hint works, and is workable in most cases, but there are limitations.
But for most instances it could substitute for NIS. There is a flaw,
however. Though it may not be seen in most installations.

As an aside and pure coincidence, I'm subscribed to the Heimdal
Kerberos mailing list and there is a thread about a situation with
OpenSSH. You can see it at
http://www.stacken.kth.se/lists/heimdal-discuss/2001-01/msg00006.html

I did not read the thread, and I don't know if there is anything that
may be helpful to the situation we're discussing. However there may
be information that may be useful. If not, sorry to lead you into a
dead end.

-- 
Randy

rmlscsi: [bogomips 1003.26] [GNU ld version 2.16.1] [gcc (GCC) 4.0.3]
[GNU C Library stable release version 2.3.6] [Linux 2.6.14.3 i686]
00:51:00 up 42 min, 1 user, load average: 0.01, 0.18, 0.20



More information about the blfs-dev mailing list