Date: Fri, 2 Feb 2001 21:14:38 -0500 (EST) From: Robert Watson <rwatson@FreeBSD.org> To: "Brian F. Feldman" <green@FreeBSD.org> Cc: security@FreeBSD.org, assar@FreeBSD.org Subject: Re: PAM/SSH and KerberosIV? Message-ID: <Pine.NEB.3.96L.1010202210509.37792A-100000@fledge.watson.org> In-Reply-To: <200101310049.f0V0n1f15852@green.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 30 Jan 2001, Brian F. Feldman wrote: > I don't know. I do not have the capacity to test Kerberos without going > through the trouble of setting it up for only myself only on my own > computer, which would be an exercise in utterly profound useless effort. > So, anyone who does it, let me know if it works for you and how. If you need to test your code in an existing kerberos realm, remember that both FreeBSD.org and watson.org use kerberos, and it would be easy to arrange for a principal for one of your hosts. I ran through the tests, and the following occurs: without the pam_kerberosIV.so entry in /etc/pam.conf, you cannot log in using kerberos. I've committed a commented out pam_kerberosIV.so entry for sshd to match the others in pam.conf in -CURRENT. I'll MFC to -STABLE sometime soon if there are no complaints. This appears to remedy the failure of Kerberos passwords to work, which is not unexpected :-). However, this seems to have broken using unique kerberos ticket filenames for each session -- now it always uses /tmp/tkt1000 for uid 1000, rather than /tmp/tkt1000_randomnumber, meaning that if you log in twice, the first logout hoses the tickets for the second session. This didn't happen previously, and is probably an issue with pam_kerberosIV.so that I didn't run into previously since I always logged in via SSH. It's probably not a security hole as presumably KTH does the right thing with regards to O_EXCL and so on, but it's not ideal. > BTW, you ever test the make-ssh-use-/dev/tty-to-ask-for-OTP patch? Nope, need to do that. I'll apply it on my local tree tonight and hopefully get a chance to test it this weekend or Monday. BTW, at one point I think you committed some fixes relating to SSH sessions crashing (I think it was the tunnel closing bug?); were those from the base OpenSSH tree, or should we be submitting them back to the openssh-unix-dev mailing list? Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1010202210509.37792A-100000>