Date: Wed, 6 Dec 2000 20:14:38 -0600 From: "Jacques A. Vidrine" <n@nectar.com> To: Chris <ccsanady@iastate.edu> Cc: freebsd-hackers@freebsd.org Subject: Re: PAM issues.. Message-ID: <20001206201438.B64751@spawn.nectar.com> In-Reply-To: <3A2ED495.397B46A3@iastate.edu>; from ccsanady@iastate.edu on Thu, Dec 07, 2000 at 12:06:46AM %2B0000 References: <3A2ED495.397B46A3@iastate.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 07, 2000 at 12:06:46AM +0000, Chris wrote:
> Hi, I have been writing a PAM module to do Kerberos 5 and AFS stuff, and
> have run across a couple of problems.
Have you looked at ports/security/pam_krb5, by the way? This does
Kerberos 5, but not AFS.
> The next is pam_setcred(). I've noticed that this is not actually
> called from login/etc, so it doesn't do much good. Is this
> intentional? Not that it matters much, for anything other than
> compatibility with other modules.
Patching login et. al. to call pam_setcred is trivial. The only reason I
haven't done so yet is because pam_setcred is all but useless. :-) I'm
enclosing a previous message that I sent to the FreeBSD PAM maintainer
(ok well it went to jdp first and then later to markm) to explain more
fully. None of us have had time to address it yet, and this appears to
be a bug in Linux-PAM (which is the implementation we use).
Cheers,
--
Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org
Date: Mon, 6 Nov 2000 12:51:46 -0600
From: "Jacques A. Vidrine" <n@nectar.com>
To: jdp@polstra.com
Subject: pam_setcred in login.c
Hi John,
You look like the PAM maintainer. Can I commit the following to
src/usr.bin/login.c (actually, the below patch is for -STABLE but I
mean to commit the equivalent to -CURRENT)?
--- login.c.orig Fri Nov 3 21:12:40 2000
+++ login.c Mon Nov 6 12:00:46 2000
@@ -714,6 +714,9 @@
} else
syslog(LOG_ERR, "Couldn't get PAM_USER: %s",
pam_strerror(pamh, e));
+ if ((e = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS)
+ syslog(LOG_ERR, "Couldn't establish credentials: %s",
+ pam_strerror(pamh, e));
rval = 0;
break;
By the way, is it just me, or is pam_setcred broken? For example,
with the following config file:
login auth sufficient pam_skey.so
login auth sufficient pam_krb5.so
login auth required pam_unix.so
Regardless of whether you authenticate with `skey', `krb5', or `unix',
pam_sm_setcred is called in pam_skey.so, i.e. the search starts over.
By my reading of the Solaris man page, pam_sm_setcred should be called
in the module that successfully authenticated the user. At any rate
this seems infinitely more useful.
Excerpt from Solaris 2.6 pam(3):
If the user has been successfully authenticated, the application
calls pam_setcred() to set any user credentials associated with
the authentication service. [...] For example, during the call to
pam_authenticate(), service modules may store data in the handle
that is intended for use by pam_setcred().
Just looking for a sanity check...
Thanks!
--
Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001206201438.B64751>