Date: Fri, 30 Aug 2013 14:09:26 +0400 From: Slawa Olhovchenkov <slw@zxy.spb.ru> To: Dag-Erling Sm??rgrav <des@des.no> Cc: freebsd-security@FreeBSD.org Subject: Re: OpenSSH, PAM and kerberos Message-ID: <20130830100926.GU3796@zxy.spb.ru> In-Reply-To: <86d2ovy64p.fsf@nine.des.no> References: <20130829004844.GA70584@zxy.spb.ru> <86d2ovy64p.fsf@nine.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Aug 30, 2013 at 09:44:54AM +0200, Dag-Erling Sm??rgrav wrote: > Slawa Olhovchenkov <slw@zxy.spb.ru> writes: > > I am try to setup single sign-on and found this is imposuble due to > > bug in OpenSSH: currently sshd do pam_authenticate() and > > pam_acct_mgmt() from child process, but pam_setcred() from paren > > proccess. pam_krb5 in pam_sm_setcred() required information from > > pam_sm_authenticate and can't work corretly (can't create > > /tmp/krb5cc_NNNN, can't set envirompent KRB5CCNAME and so). > > PAM authentication in OpenSSH was broken for non-trivial cases when > privilege separation was implemented. Fixing it properly would be very > difficult. Same behaviour with 'UsePrivilegeSeparation no'.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130830100926.GU3796>