robertogonzalezazevedo / pamcntlm

Integration between CNTLM and PAM
GNU General Public License v2.0
0 stars 0 forks source link

Rebase against maintained version #1

Open jschwartzenberg opened 4 years ago

jschwartzenberg commented 4 years ago

Hi @robertogonzalezazevedo! Did you consider rebasing this against https://github.com/versat/cntlm and possibly creating a PR? This fork is still maintained, I am looking to bring all CNTLM patches that around together there.

In what kind of use case would PAM authentication be used with CNTLM?

jschwartzenberg commented 4 years ago

I found your description here: https://github.com/Evengard/cntlm/issues/9

As the version I mentioned has Kerberos using the ticket of the user running CNTLM, would your patch enable a system-wide CNTLM that might use the credentials/Kerberos ticket from the user whose TCP connection is accessing it? That would be a huge improvement!

jschwartzenberg commented 4 years ago

Initial branch with a rebased patch is here: https://github.com/jschwartzenberg/cntlm/commits/pam

jschwartzenberg commented 4 years ago

I found some idea on how to use this all here: https://sourceforge.net/p/pamcntlm/code/HEAD/tree/cntlm.sysconfig https://sourceforge.net/p/cntlm/feature-requests/14/

It's interesting this enables sharing a single instance for multiple users. Getting the password from PAM and keeping the hashes around probably isn't needed anymore when the user has a Kerberos ticket, but some rework would be necessary to let the shared memory version pick up a user's Kerberos ticket. This is presuming there are no environments anymore that are not supporting Kerberos but would still need the old hashes.