Date: Fri, 21 Oct 2005 16:17:52 +0200 From: Stijn Hoop <stijn@win.tue.nl> To: Harti Brandt <harti@freebsd.org> Cc: hackers@freebsd.org Subject: Re: telnetd/sshd and Kerberos tickets (PAM) Message-ID: <20051021141752.GQ6916@pcwin002.win.tue.nl> In-Reply-To: <20051021160017.D4007@beagle.kn.op.dlr.de> References: <20051021160017.D4007@beagle.kn.op.dlr.de>
next in thread | previous in thread | raw e-mail | index | archive | help
--Xm/fll+QQv+hsKip
Content-Type: multipart/mixed; boundary="YD3LsXFS42OYHhNZ"
Content-Disposition: inline
--YD3LsXFS42OYHhNZ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, Oct 21, 2005 at 04:08:14PM +0200, Harti Brandt wrote:
> I have enabled the pam_krb5 module in pam.d/{login,telnetd,sshd}. When=20
> login in locally I get a Kerberos ticket as I would expect. When logging=
=20
> in via ssh or telnet I don't get one. I have digged around in the sources=
=20
> and it locks like telnetd never calls pam_setcred() which would do this=
=20
> work. My PAM-foo is rather limited so my question is: shouldn't sshd and=
=20
> telnetd call pam_setcred() somewhere?
WRT sshd I bugged des@ about this but did not receive an answer :( See
the attached mail.
--Stijn
--=20
There are of course many problems connected with life, of which some of
the most popular are 'Why are people born?', 'Why do they die?', and
`Why do they spend so much of the intervening time wearing digital
watches?'
-- Douglas Adams, "The Hitchhikers Guide To The Galaxy"
--YD3LsXFS42OYHhNZ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="des_mail.txt"
Content-Transfer-Encoding: quoted-printable
Hi,
I sent this 2 weeks ago but got no response. Did I miss anything? I'd
appreciate even a quick 'yes' or 'no' (although a pointer to more
docs would also be nice).
--Stijn
----- Forwarded message from Stijn Hoop <stijn@win.tue.nl> -----
From: Stijn Hoop <stijn@win.tue.nl>
Date: Wed, 7 Sep 2005 20:48:09 +0200
To: des@freebsd.org
Subject: pam_krb5 / pam_sm_setcred not getting called with PAM_ESTABLISH_CR=
ED
Hi Dag-Erling,
sorry to bother you directly but I can't find good info on PAM
internals on the net. If you do have some pointers I'll gladly read
more myself.
In any case, the quick quick version of the problem is this:
is it allowed for an application to only call pam_setcred with the
PAM_REINITIALIZE_FLAG, while never having called it with PAM_ESTABLISH_CRED?
More details below and in my other post to arch@ with the same subject.
I would be obliged if you could answer this question.
Thanks!
--Stijn
----- Forwarded message from Stijn Hoop <stijn@win.tue.nl> -----
From: Stijn Hoop <stijn@win.tue.nl>
Date: Sat, 3 Sep 2005 16:55:06 +0200
To: freebsd-arch@freebsd.org
Subject: Re: pam_krb5 / pam_sm_setcred not getting called with PAM_ESTABLIS=
H_CRED'
On Sat, Sep 03, 2005 at 11:44:34AM +0200, Stijn Hoop wrote:
> I'm debugging a problem on 5-STABLE where I've setup a KDC using Heimdal
> in the base system, and activated pam_krb5 in /etc/pam.d/sshd. It turns o=
ut
> that pam_krb5 does not establish the credential cache for the authenticat=
ed
> user. After reinstalling pam with DEBUG & PAM_DEBUG, it turns out that
> pam_sm_setcred is only called with PAM_REINITIALIZE_CRED as flags, and
> never with PAM_ESTABLISH_CRED, which is the only case for which a credent=
ial
> cache will be saved (in all other cases, PAM_SUCCESS is returned immediat=
ely,
> which is why I don't have a cache).
Further digging reveals that this is due to the sshd code; it turns
out that unless PrivilegeSeparation is off, it will not 'establish'
credentials, only 'reinitialize' them. Found in src/crypto/openssh/auth-pam=
.c
and session.c. I really wouldn't know if this is appropriate or not, but it
seems confusing to me.
The second question still stands:
> - shouldn't pam_krb5 re-establish the credential cache when called with
> PAM_REINITIALIZE_CRED, instead of just returning PAM_SUCCESS? I'm a tot=
al
> pam newbie so I'm going only by the name of the flag; I couldn't find a
> manpage that made the semantics of these flags more clear.
Or of course someone pointing out the correct way to get an initialized
Kerberos 5 ticket cache upon succesful ssh login...
--Stijn
----- End forwarded message -----
--YD3LsXFS42OYHhNZ--
--Xm/fll+QQv+hsKip
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
iD8DBQFDWPiPY3r/tLQmfWcRAuvnAJ9TrSmB8t6kKWA0KMq560roxQz8NACgoEiz
Bx6Q+f/fID1iqNz4tW/V0f4=
=W4kU
-----END PGP SIGNATURE-----
--Xm/fll+QQv+hsKip--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051021141752.GQ6916>