Date: Tue, 3 Sep 2013 14:39:22 +0400 From: Slawa Olhovchenkov <slw@zxy.spb.ru> To: Lev Serebryakov <lev@FreeBSD.org> Cc: Dag-Erling Sm??rgrav <des@des.no>, freebsd-security@FreeBSD.org Subject: Re: OpenSSH, PAM and kerberos Message-ID: <20130903103922.GI3796@zxy.spb.ru> In-Reply-To: <998724759.20130903142637@serebryakov.spb.ru> References: <86sixrwdcv.fsf@nine.des.no> <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <998724759.20130903142637@serebryakov.spb.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 03, 2013 at 02:26:37PM +0400, Lev Serebryakov wrote: > Hello, Dag-Erling. > You wrote 3 сентября 2013 г., 13:38:48: > > >> And how in this case can be resolved situation with PAM credentials > >> (Kerberos credentials in may case)? > DES> The application does not need them. > They are written to disk with pam_open_session() and this call should be > called by sshd, not some "authorization daemon", if I understand situation > right. Or don't I? Written to disk with pam_setcred(), not pam_open_session(). And yes, by sshd, after drop priveleges. And set KRB5CCNAME. "authorization daemon" can't be set environment in other process.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130903103922.GI3796>