From owner-freebsd-security@FreeBSD.ORG Tue Sep 3 13:24:17 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id EC6CD81A for ; Tue, 3 Sep 2013 13:24:17 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id AB9802AAE for ; Tue, 3 Sep 2013 13:24:17 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 102064578; Tue, 3 Sep 2013 13:24:17 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 2100E33A1A; Tue, 3 Sep 2013 15:23:48 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Slawa Olhovchenkov Subject: Re: OpenSSH, PAM and kerberos References: <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <20130903095316.GH3796@zxy.spb.ru> <86li3euovr.fsf@nine.des.no> <20130903115050.GJ3796@zxy.spb.ru> Date: Tue, 03 Sep 2013 15:23:48 +0200 In-Reply-To: <20130903115050.GJ3796@zxy.spb.ru> (Slawa Olhovchenkov's message of "Tue, 3 Sep 2013 15:50:50 +0400") Message-ID: <864na2ujh7.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Sep 2013 13:24:18 -0000 Slawa Olhovchenkov writes: > Dag-Erling Sm=C3=B8rgrav writes: > > The application does not need pam_krb5's temporary credential cache. It > > is only used internally. Single sign-on is implemented by storing your > > credentials in a *permanent* credential cache (either a file or KCM) > > which is independent of the PAM session and the application. The > > location of the permanent credential cache is exported to the > > application through the KRB5CCNAME environment variable. > Yes, but content of credential cache got at time pam_authenticate(). Did you read *anything* that I wrote? The pam_krb5 module obtains your credentials and stores them in a persistent cache which is *independent* of the module and of the application that called it. The *only* thing it needs to communicate to the application is the value of KRB5CCNAME. If this wasn't the case, pam_krb5 wouldn't work with *any* applications whatsoever, not just sshd. > Also, authenticate daemon (in case authenticate daemon call > pam_setcred) can't be know what need to transfer (chaneged UID? new > enviroment? deleted enviroment?) Actually, sshd already does most of this by farming PAM out to a child process. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no