From owner-freebsd-security@FreeBSD.ORG Tue Sep 3 11:48:47 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id CF2E19E6 for ; Tue, 3 Sep 2013 11:48:47 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) by mx1.freebsd.org (Postfix) with ESMTP id 8BB022ED4 for ; Tue, 3 Sep 2013 11:48:47 +0000 (UTC) Received: from slw by zxy.spb.ru with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1VGp8F-000Gpv-0V; Tue, 03 Sep 2013 15:50:51 +0400 Date: Tue, 3 Sep 2013 15:50:50 +0400 From: Slawa Olhovchenkov To: Dag-Erling Sm??rgrav Subject: Re: OpenSSH, PAM and kerberos Message-ID: <20130903115050.GJ3796@zxy.spb.ru> References: <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <20130903095316.GH3796@zxy.spb.ru> <86li3euovr.fsf@nine.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <86li3euovr.fsf@nine.des.no> User-Agent: Mutt/1.5.21 (2010-09-15) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false Cc: freebsd-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Sep 2013 11:48:47 -0000 On Tue, Sep 03, 2013 at 01:27:04PM +0200, Dag-Erling Sm??rgrav wrote: > Slawa Olhovchenkov writes: > > Dag-Erling Sm??rgrav writes: > > > Slawa Olhovchenkov writes: > > > > And how in this case can be resolved situation with PAM credentials > > > > (Kerberos credentials in may case)? > > > The application does not need them. > > I need them. I need single sign-on, I need enter password only once, > > at login time and use this credentials to login to other host and use > > Kerberosed NFS w/o entering password. > > The application does not need pam_krb5's temporary credential cache. It > is only used internally. Single sign-on is implemented by storing your > credentials in a *permanent* credential cache (either a file or KCM) > which is independent of the PAM session and the application. The > location of the permanent credential cache is exported to the > application through the KRB5CCNAME environment variable. Yes, but content of credential cache got at time pam_authenticate(). And this content (size, structure and links to other objects) invisible outside PAM. Application (and authenticate daemon) can't be extract this for transfer and (in general case) can't be know about necessary acts (write to file? what file? set enviroment?) -- all this activity do internals by PAM modules -- one bu pam_krb5, other by pam_opie and pam_unix. Also, authenticate daemon (in case authenticate daemon call pam_setcred) can't be know what need to transfer (chaneged UID? new enviroment? deleted enviroment?)