Date: Wed, 3 Dec 2003 11:33:19 -0600 From: Tillman Hodgson <tillman@seekingfire.com> To: FreeBSD-Ports <freebsd-ports@freebsd.org> Subject: MIT krb5, telnetd, PAM, incorrect permissions on forwarded tickets Message-ID: <20031203173319.GE294@seekingfire.com>
next in thread | raw e-mail | index | archive | help
Howdy folks, When using the MIT krb5 port (up to date as of a CVSup this morning) on a recent -STABLE box, there are two ways to enable telnetd in /etc/inetd.conf: telnet stream tcp nowait root /usr/libexec/telnetd telnetd -a user or telnet stream tcp nowait root /usr/local/krb5/sbin/telnetd telnetd -a user -L /usr/local/krb5/sbin/login.krb5 The first way, according to the man page and to the README.FreeBSD included in teh krb5 port, uses /usr/bin/login. The second way uses the MIT login program. The first way is obviously preferred -- you get login.conf and login.access that way. However, when using forwarded tickets it creates them with the wrong permissions (0600 root:wheel) and the user can't even read their own ticket. If root chown's them to the user manually the forwarded ticket works correctly. Naturally, login.krb5 sets the permissions correctly. Since a simple chown seems like such a simple thing to fix and there's compelling benefits to using the FreeBSD login, I'd like to start using /usr/bin/login with my MIT telnetd (it's even the default in the port ;-) ). But finding figuring out just where this should be down has been non-trivial. My first instinct (supported by the wording in README.FreeBSD) was to look in /etc/pam.conf. But PAM doesn't appear to be in play here: I have pam_krb5.conf commented out and am still able to login in correctly! Uncommenting pam_krb5 in the PAM stack appears to have no effect. So my next instinct was that the MIT telnetd was performing the ticket creation in /tmp itself. That's a much bigger piece of software to read through -- I'm still digging into it. Are there any known workarounds for this? Would someone with a bit more familiarity with the code in question mind taking a look at it? Thanks, -T -- Belief gets in the way of learning. - Robert Heinlein
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031203173319.GE294>