From owner-freebsd-arch@FreeBSD.ORG Sat Sep 3 14:55:09 2005 Return-Path: X-Original-To: freebsd-arch@freebsd.org Delivered-To: freebsd-arch@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5972416A41F for ; Sat, 3 Sep 2005 14:55:09 +0000 (GMT) (envelope-from stijn@pcwin002.win.tue.nl) Received: from kweetal.tue.nl (kweetal.tue.nl [131.155.3.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id CDDC943D46 for ; Sat, 3 Sep 2005 14:55:08 +0000 (GMT) (envelope-from stijn@pcwin002.win.tue.nl) Received: from localhost (localhost [127.0.0.1]) by kweetal.tue.nl (Postfix) with ESMTP id CB61D13B6F8 for ; Sat, 3 Sep 2005 16:55:07 +0200 (CEST) Received: from kweetal.tue.nl ([127.0.0.1]) by localhost (kweetal.tue.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 89524-03 for ; Sat, 3 Sep 2005 16:55:07 +0200 (CEST) Received: from pcwin002.win.tue.nl (pcwin002.win.tue.nl [131.155.71.72]) by kweetal.tue.nl (Postfix) with ESMTP id 0817C13B6E4 for ; Sat, 3 Sep 2005 16:55:07 +0200 (CEST) Received: (from stijn@localhost) by pcwin002.win.tue.nl (8.13.4/8.13.4/Submit) id j83Et6ia073764 for freebsd-arch@freebsd.org; Sat, 3 Sep 2005 16:55:06 +0200 (CEST) (envelope-from stijn) Date: Sat, 3 Sep 2005 16:55:06 +0200 From: Stijn Hoop To: freebsd-arch@freebsd.org Message-ID: <20050903145506.GB852@pcwin002.win.tue.nl> References: <20050903094434.GA852@pcwin002.win.tue.nl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="+g7M9IMkV8truYOl" Content-Disposition: inline In-Reply-To: <20050903094434.GA852@pcwin002.win.tue.nl> User-Agent: Mutt/1.4.2.1i X-Bright-Idea: Let's abolish HTML mail! X-Virus-Scanned: amavisd-new at tue.nl Subject: Re: pam_krb5 / pam_sm_setcred not getting called with PAM_ESTABLISH_CRED' X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Sep 2005 14:55:09 -0000 --+g7M9IMkV8truYOl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 03, 2005 at 11:44:34AM +0200, Stijn Hoop wrote: > I'm debugging a problem on 5-STABLE where I've setup a KDC using Heimdal > in the base system, and activated pam_krb5 in /etc/pam.d/sshd. It turns o= ut > that pam_krb5 does not establish the credential cache for the authenticat= ed > user. After reinstalling pam with DEBUG & PAM_DEBUG, it turns out that > pam_sm_setcred is only called with PAM_REINITIALIZE_CRED as flags, and > never with PAM_ESTABLISH_CRED, which is the only case for which a credent= ial > cache will be saved (in all other cases, PAM_SUCCESS is returned immediat= ely, > which is why I don't have a cache). Further digging reveals that this is due to the sshd code; it turns out that unless PrivilegeSeparation is off, it will not 'establish' credentials, only 'reinitialize' them. Found in src/crypto/openssh/auth-pam= .c and session.c. I really wouldn't know if this is appropriate or not, but it seems confusing to me. The second question still stands: > - shouldn't pam_krb5 re-establish the credential cache when called with > PAM_REINITIALIZE_CRED, instead of just returning PAM_SUCCESS? I'm a tot= al > pam newbie so I'm going only by the name of the flag; I couldn't find a > manpage that made the semantics of these flags more clear. Or of course someone pointing out the correct way to get an initialized Kerberos 5 ticket cache upon succesful ssh login... --Stijn --=20 "Diane, 2:15 in the afternoon, November 14. Entering town of Twin Peaks. Five miles south of the Canadian border, twelve miles west of the state line. Never seen so many trees in my life. As W.C. Fields would say, I'd rather be here than Philadelphia." -- Special Agent Dale Cooper, "Twin Peaks" --+g7M9IMkV8truYOl Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDGblKY3r/tLQmfWcRAvl5AJsElgZtcmlnBsn7e3nlE0QT/n/GmQCfWvKY GYZgL7W/8vVTKzzrqVCqd6Y= =2fgs -----END PGP SIGNATURE----- --+g7M9IMkV8truYOl--