From owner-freebsd-hackers@FreeBSD.ORG Fri Oct 21 14:17:57 2005 Return-Path: X-Original-To: hackers@freebsd.org Delivered-To: freebsd-hackers@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB75416A420; Fri, 21 Oct 2005 14:17:57 +0000 (GMT) (envelope-from stijn@pcwin002.win.tue.nl) Received: from kweetal.tue.nl (kweetal.tue.nl [131.155.3.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6598E43D45; Fri, 21 Oct 2005 14:17:54 +0000 (GMT) (envelope-from stijn@pcwin002.win.tue.nl) Received: from localhost (localhost [127.0.0.1]) by kweetal.tue.nl (Postfix) with ESMTP id 6E50813B71E; Fri, 21 Oct 2005 16:17:53 +0200 (CEST) Received: from kweetal.tue.nl ([127.0.0.1]) by localhost (kweetal.tue.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 29642-08-2; Fri, 21 Oct 2005 16:17:52 +0200 (CEST) Received: from umta.win.tue.nl (umta.win.tue.nl [131.155.71.100]) by kweetal.tue.nl (Postfix) with ESMTP id 39FA013B75C; Fri, 21 Oct 2005 16:17:52 +0200 (CEST) Received: from pcwin002.win.tue.nl (pcwin002 [131.155.71.72]) by umta.win.tue.nl (Postfix) with ESMTP id 2CE2231401D; Fri, 21 Oct 2005 16:17:52 +0200 (CEST) Received: by pcwin002.win.tue.nl (Postfix, from userid 1001) id 1D4C140BA; Fri, 21 Oct 2005 16:17:52 +0200 (CEST) Date: Fri, 21 Oct 2005 16:17:52 +0200 From: Stijn Hoop To: Harti Brandt Message-ID: <20051021141752.GQ6916@pcwin002.win.tue.nl> References: <20051021160017.D4007@beagle.kn.op.dlr.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Xm/fll+QQv+hsKip" Content-Disposition: inline In-Reply-To: <20051021160017.D4007@beagle.kn.op.dlr.de> User-Agent: Mutt/1.4.2.1i X-Bright-Idea: Let's abolish HTML mail! X-Virus-Scanned: amavisd-new at tue.nl Cc: hackers@freebsd.org Subject: Re: telnetd/sshd and Kerberos tickets (PAM) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Oct 2005 14:17:58 -0000 --Xm/fll+QQv+hsKip Content-Type: multipart/mixed; boundary="YD3LsXFS42OYHhNZ" Content-Disposition: inline --YD3LsXFS42OYHhNZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Oct 21, 2005 at 04:08:14PM +0200, Harti Brandt wrote: > I have enabled the pam_krb5 module in pam.d/{login,telnetd,sshd}. When=20 > login in locally I get a Kerberos ticket as I would expect. When logging= =20 > in via ssh or telnet I don't get one. I have digged around in the sources= =20 > and it locks like telnetd never calls pam_setcred() which would do this= =20 > work. My PAM-foo is rather limited so my question is: shouldn't sshd and= =20 > telnetd call pam_setcred() somewhere? WRT sshd I bugged des@ about this but did not receive an answer :( See the attached mail. --Stijn --=20 There are of course many problems connected with life, of which some of the most popular are 'Why are people born?', 'Why do they die?', and `Why do they spend so much of the intervening time wearing digital watches?' -- Douglas Adams, "The Hitchhikers Guide To The Galaxy" --YD3LsXFS42OYHhNZ Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="des_mail.txt" Content-Transfer-Encoding: quoted-printable Hi, I sent this 2 weeks ago but got no response. Did I miss anything? I'd appreciate even a quick 'yes' or 'no' (although a pointer to more docs would also be nice). --Stijn ----- Forwarded message from Stijn Hoop ----- From: Stijn Hoop Date: Wed, 7 Sep 2005 20:48:09 +0200 To: des@freebsd.org Subject: pam_krb5 / pam_sm_setcred not getting called with PAM_ESTABLISH_CR= ED Hi Dag-Erling, sorry to bother you directly but I can't find good info on PAM internals on the net. If you do have some pointers I'll gladly read more myself. In any case, the quick quick version of the problem is this: is it allowed for an application to only call pam_setcred with the PAM_REINITIALIZE_FLAG, while never having called it with PAM_ESTABLISH_CRED? More details below and in my other post to arch@ with the same subject. I would be obliged if you could answer this question. Thanks! --Stijn ----- Forwarded message from Stijn Hoop ----- From: Stijn Hoop Date: Sat, 3 Sep 2005 16:55:06 +0200 To: freebsd-arch@freebsd.org Subject: Re: pam_krb5 / pam_sm_setcred not getting called with PAM_ESTABLIS= H_CRED' On Sat, Sep 03, 2005 at 11:44:34AM +0200, Stijn Hoop wrote: > I'm debugging a problem on 5-STABLE where I've setup a KDC using Heimdal > in the base system, and activated pam_krb5 in /etc/pam.d/sshd. It turns o= ut > that pam_krb5 does not establish the credential cache for the authenticat= ed > user. After reinstalling pam with DEBUG & PAM_DEBUG, it turns out that > pam_sm_setcred is only called with PAM_REINITIALIZE_CRED as flags, and > never with PAM_ESTABLISH_CRED, which is the only case for which a credent= ial > cache will be saved (in all other cases, PAM_SUCCESS is returned immediat= ely, > which is why I don't have a cache). Further digging reveals that this is due to the sshd code; it turns out that unless PrivilegeSeparation is off, it will not 'establish' credentials, only 'reinitialize' them. Found in src/crypto/openssh/auth-pam= .c and session.c. I really wouldn't know if this is appropriate or not, but it seems confusing to me. The second question still stands: > - shouldn't pam_krb5 re-establish the credential cache when called with > PAM_REINITIALIZE_CRED, instead of just returning PAM_SUCCESS? I'm a tot= al > pam newbie so I'm going only by the name of the flag; I couldn't find a > manpage that made the semantics of these flags more clear. Or of course someone pointing out the correct way to get an initialized Kerberos 5 ticket cache upon succesful ssh login... --Stijn ----- End forwarded message ----- --YD3LsXFS42OYHhNZ-- --Xm/fll+QQv+hsKip Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDWPiPY3r/tLQmfWcRAuvnAJ9TrSmB8t6kKWA0KMq560roxQz8NACgoEiz Bx6Q+f/fID1iqNz4tW/V0f4= =W4kU -----END PGP SIGNATURE----- --Xm/fll+QQv+hsKip--