--On Saturday, February 09, 2008 12:18:54 PM +0000 Phil Mayers <p.mayers@imperial.ac.uk> wrote:
Note that this violates the general advice of never setting Auth-Type, explicitly; this is necessary because rlm_krb5 does not provide any authorize handling and will not set Auth-Type automatically like many other modules do.
s/will not/cannot/?
How eould rlm_krb5 run in authorize {} and know that the user is a valid kerberos user without getting a ticket?
It can't, really. But what it could do is what rlm_pap does, which is to assume that if there's a password in the request and Auth-Type isn't set yet, you must want to use this module (actually, rlm_pap also requires there be a password or hash in the users database, but of course Kerberos doesn't need that and as you point out, there's no easy way to check the KDB). With such a check, krb5 could be listed after pap in the default authorize configuration, and would pick up any PAP requests for which the users database does not contain password.
At the moment, the "best" (least worst) option is to use something like this:
authorize { preprocess eap mschap files } authenticate { Auth-Type MSCHAP { mschap } Auth-Type KRB5 { krb5 } }
..and in the files have this:
DEFAULT Auth-Type = KRB5
Yes, I suppose with configuration like that you could avoid the code I describe above. I do think there's some benefit to handling this in the module's authorize handler, if only so we can avoid telling people to set Auth-Type in the users database.
Another alternative would be to redesign such that the various PAP "oracles" (krb5, pam) are sub-modules of the pap module, perhaps run in a defined order:
Perhaps, though I'd avoid putting too much complexity in the rlm_pap configuration. People who actually need something complicated can always use rlm_pam and take advantage of PAM's configuration engine (though that does limit you to platforms which have PAM libraries). What I'd really like to see is an easy way for the users database to specify which submodule gets to handle PAP requests. I suppose that can be accomplished as in your example, by listing files last in the authorize section and set-if-unset Auth-Type in each user entry. -- Jeff