Date: Tue, 3 Sep 2013 14:50:34 +0400 From: Lev Serebryakov <lev@FreeBSD.org> To: Slawa Olhovchenkov <slw@zxy.spb.ru> Cc: Dag-Erling Sm??rgrav <des@des.no>, freebsd-security@FreeBSD.org Subject: Re: OpenSSH, PAM and kerberos Message-ID: <6110257289.20130903145034@serebryakov.spb.ru> In-Reply-To: <20130903103922.GI3796@zxy.spb.ru> References: <86sixrwdcv.fsf@nine.des.no> <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <998724759.20130903142637@serebryakov.spb.ru> <20130903103922.GI3796@zxy.spb.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, Slawa. You wrote 3 =D3=C5=CE=D4=D1=C2=D2=D1 2013 =C7., 14:39:22: >> >> And how in this case can be resolved situation with PAM credentials >> >> (Kerberos credentials in may case)? >> DES> The application does not need them. >> They are written to disk with pam_open_session() and this call should be >> called by sshd, not some "authorization daemon", if I understand situati= on >> right. Or don't I? SO> Written to disk with pam_setcred(), not pam_open_session(). And yes, SO> by sshd, after drop priveleges. And set KRB5CCNAME. "authorization SO> daemon" can't be set environment in other process. des@ suggests to have ability to pass env variables from authorization daemon, but anyway, pam_setcred() should be called by shell process (or its parent), and not any process in system, am I right? --=20 // Black Lion AKA Lev Serebryakov <lev@FreeBSD.org>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6110257289.20130903145034>