From owner-freebsd-hackers@FreeBSD.ORG Mon Nov 14 12:31:51 2005 Return-Path: X-Original-To: hackers@freebsd.org Delivered-To: freebsd-hackers@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 794FD16A41F; Mon, 14 Nov 2005 12:31:51 +0000 (GMT) (envelope-from stijn@pcwin002.win.tue.nl) Received: from kweetal.tue.nl (kweetal.tue.nl [131.155.3.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD2EE43D4C; Mon, 14 Nov 2005 12:31:50 +0000 (GMT) (envelope-from stijn@pcwin002.win.tue.nl) Received: from localhost (localhost [127.0.0.1]) by kweetal.tue.nl (Postfix) with ESMTP id D78BB13B6F8; Mon, 14 Nov 2005 13:31:49 +0100 (CET) Received: from kweetal.tue.nl ([127.0.0.1]) by localhost (kweetal.tue.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 75557-01-8; Mon, 14 Nov 2005 13:31:31 +0100 (CET) Received: from umta.win.tue.nl (umta.win.tue.nl [131.155.71.100]) by kweetal.tue.nl (Postfix) with ESMTP id 297CA13B788; Mon, 14 Nov 2005 13:30:53 +0100 (CET) Received: from pcwin002.win.tue.nl (pcwin002 [131.155.71.72]) by umta.win.tue.nl (Postfix) with ESMTP id 2445431401C; Mon, 14 Nov 2005 13:30:53 +0100 (CET) Received: by pcwin002.win.tue.nl (Postfix, from userid 1001) id 0EC9140BE; Mon, 14 Nov 2005 13:30:53 +0100 (CET) Date: Mon, 14 Nov 2005 13:30:53 +0100 From: Stijn Hoop To: Harti Brandt Message-ID: <20051114123052.GG69544@pcwin002.win.tue.nl> References: <20051021160017.D4007@beagle.kn.op.dlr.de> <20051021141752.GQ6916@pcwin002.win.tue.nl> <20051021170843.A6955@beagle.kn.op.dlr.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="MdJ3p2aQbVp3YFXz" Content-Disposition: inline In-Reply-To: <20051021170843.A6955@beagle.kn.op.dlr.de> User-Agent: Mutt/1.4.2.1i X-Bright-Idea: Let's abolish HTML mail! X-Virus-Scanned: amavisd-new at tue.nl Cc: hackers@freebsd.org Subject: Re: telnetd/sshd and Kerberos tickets (PAM) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Nov 2005 12:31:51 -0000 --MdJ3p2aQbVp3YFXz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Oct 21, 2005 at 05:10:39PM +0200, Harti Brandt wrote: > On Fri, 21 Oct 2005, Stijn Hoop wrote: > SH>On Fri, Oct 21, 2005 at 04:08:14PM +0200, Harti Brandt wrote: > SH>> I have enabled the pam_krb5 module in pam.d/{login,telnetd,sshd}. Wh= en=20 > SH>> login in locally I get a Kerberos ticket as I would expect. When log= ging=20 > SH>> in via ssh or telnet I don't get one. I have digged around in the so= urces=20 > SH>> and it locks like telnetd never calls pam_setcred() which would do t= his=20 > SH>> work. My PAM-foo is rather limited so my question is: shouldn't sshd= and=20 > SH>> telnetd call pam_setcred() somewhere? > SH> > SH>WRT sshd I bugged des@ about this but did not receive an answer :( See > SH>the attached mail. >=20 > Hmm. I digged around a little bit and found something: >=20 > http://bugzilla.mindrot.org/show_bug.cgi?id=3D789 >=20 > From a first glance it seems that this bug was introduced by fixing=20 > another bug. I see. If I understand correctly, disabling privsep will fix it? Still, I would really like to get an answer to my PAM question: "Is it allowed for an application to only call pam_setcred with the PAM_REINITIALIZE_FLAG, while never having called it with PAM_ESTABLISH_CRED= ?" Did you find out yet? --Stijn --=20 "An adult is a child who has more ethics and morals, that's all." -- Shigeru Miyamoto --MdJ3p2aQbVp3YFXz Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDeIN8Y3r/tLQmfWcRAkWUAJ9LsJ+u3XeV3seJVfbXAMPnpIQN0gCgqL82 XYJpEeMsGKTCuKrzYt9Gtmc= =xpSz -----END PGP SIGNATURE----- --MdJ3p2aQbVp3YFXz--