Date: Sat, 3 Sep 2005 16:55:06 +0200 From: Stijn Hoop <stijn@win.tue.nl> To: freebsd-arch@freebsd.org Subject: Re: pam_krb5 / pam_sm_setcred not getting called with PAM_ESTABLISH_CRED' Message-ID: <20050903145506.GB852@pcwin002.win.tue.nl> In-Reply-To: <20050903094434.GA852@pcwin002.win.tue.nl> References: <20050903094434.GA852@pcwin002.win.tue.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
--+g7M9IMkV8truYOl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 03, 2005 at 11:44:34AM +0200, Stijn Hoop wrote: > I'm debugging a problem on 5-STABLE where I've setup a KDC using Heimdal > in the base system, and activated pam_krb5 in /etc/pam.d/sshd. It turns o= ut > that pam_krb5 does not establish the credential cache for the authenticat= ed > user. After reinstalling pam with DEBUG & PAM_DEBUG, it turns out that > pam_sm_setcred is only called with PAM_REINITIALIZE_CRED as flags, and > never with PAM_ESTABLISH_CRED, which is the only case for which a credent= ial > cache will be saved (in all other cases, PAM_SUCCESS is returned immediat= ely, > which is why I don't have a cache). Further digging reveals that this is due to the sshd code; it turns out that unless PrivilegeSeparation is off, it will not 'establish' credentials, only 'reinitialize' them. Found in src/crypto/openssh/auth-pam= .c and session.c. I really wouldn't know if this is appropriate or not, but it seems confusing to me. The second question still stands: > - shouldn't pam_krb5 re-establish the credential cache when called with > PAM_REINITIALIZE_CRED, instead of just returning PAM_SUCCESS? I'm a tot= al > pam newbie so I'm going only by the name of the flag; I couldn't find a > manpage that made the semantics of these flags more clear. Or of course someone pointing out the correct way to get an initialized Kerberos 5 ticket cache upon succesful ssh login... --Stijn --=20 "Diane, 2:15 in the afternoon, November 14. Entering town of Twin Peaks. Five miles south of the Canadian border, twelve miles west of the state line. Never seen so many trees in my life. As W.C. Fields would say, I'd rather be here than Philadelphia." -- Special Agent Dale Cooper, "Twin Peaks" --+g7M9IMkV8truYOl Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDGblKY3r/tLQmfWcRAvl5AJsElgZtcmlnBsn7e3nlE0QT/n/GmQCfWvKY GYZgL7W/8vVTKzzrqVCqd6Y= =2fgs -----END PGP SIGNATURE----- --+g7M9IMkV8truYOl--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050903145506.GB852>