From owner-freebsd-hackers Wed Dec 6 18:14:42 2000 From owner-freebsd-hackers@FreeBSD.ORG Wed Dec 6 18:14:39 2000 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 4F00937B400 for ; Wed, 6 Dec 2000 18:14:39 -0800 (PST) Received: by gw.nectar.com (Postfix, from userid 1001) id 61C76193E1; Wed, 6 Dec 2000 20:14:38 -0600 (CST) Date: Wed, 6 Dec 2000 20:14:38 -0600 From: "Jacques A. Vidrine" To: Chris Cc: freebsd-hackers@freebsd.org Subject: Re: PAM issues.. Message-ID: <20001206201438.B64751@spawn.nectar.com> Mail-Followup-To: "Jacques A. Vidrine" , Chris , freebsd-hackers@freebsd.org References: <3A2ED495.397B46A3@iastate.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A2ED495.397B46A3@iastate.edu>; from ccsanady@iastate.edu on Thu, Dec 07, 2000 at 12:06:46AM +0000 X-Url: http://www.nectar.com/ Sender: nectar@nectar.com Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, Dec 07, 2000 at 12:06:46AM +0000, Chris wrote: > Hi, I have been writing a PAM module to do Kerberos 5 and AFS stuff, and > have run across a couple of problems. Have you looked at ports/security/pam_krb5, by the way? This does Kerberos 5, but not AFS. > The next is pam_setcred(). I've noticed that this is not actually > called from login/etc, so it doesn't do much good. Is this > intentional? Not that it matters much, for anything other than > compatibility with other modules. Patching login et. al. to call pam_setcred is trivial. The only reason I haven't done so yet is because pam_setcred is all but useless. :-) I'm enclosing a previous message that I sent to the FreeBSD PAM maintainer (ok well it went to jdp first and then later to markm) to explain more fully. None of us have had time to address it yet, and this appears to be a bug in Linux-PAM (which is the implementation we use). Cheers, -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org Date: Mon, 6 Nov 2000 12:51:46 -0600 From: "Jacques A. Vidrine" To: jdp@polstra.com Subject: pam_setcred in login.c Hi John, You look like the PAM maintainer. Can I commit the following to src/usr.bin/login.c (actually, the below patch is for -STABLE but I mean to commit the equivalent to -CURRENT)? --- login.c.orig Fri Nov 3 21:12:40 2000 +++ login.c Mon Nov 6 12:00:46 2000 @@ -714,6 +714,9 @@ } else syslog(LOG_ERR, "Couldn't get PAM_USER: %s", pam_strerror(pamh, e)); + if ((e = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) + syslog(LOG_ERR, "Couldn't establish credentials: %s", + pam_strerror(pamh, e)); rval = 0; break; By the way, is it just me, or is pam_setcred broken? For example, with the following config file: login auth sufficient pam_skey.so login auth sufficient pam_krb5.so login auth required pam_unix.so Regardless of whether you authenticate with `skey', `krb5', or `unix', pam_sm_setcred is called in pam_skey.so, i.e. the search starts over. By my reading of the Solaris man page, pam_sm_setcred should be called in the module that successfully authenticated the user. At any rate this seems infinitely more useful. Excerpt from Solaris 2.6 pam(3): If the user has been successfully authenticated, the application calls pam_setcred() to set any user credentials associated with the authentication service. [...] For example, during the call to pam_authenticate(), service modules may store data in the handle that is intended for use by pam_setcred(). Just looking for a sanity check... Thanks! -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message