From owner-freebsd-security@FreeBSD.ORG Tue Sep 3 15:25:11 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 9EE55704 for ; Tue, 3 Sep 2013 15:25:11 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 5B85524F3 for ; Tue, 3 Sep 2013 15:25:11 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 7B6C747ED; Tue, 3 Sep 2013 15:25:10 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 93AC933A44; Tue, 3 Sep 2013 17:25:11 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Slawa Olhovchenkov Subject: Re: OpenSSH, PAM and kerberos References: <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <20130903095316.GH3796@zxy.spb.ru> <86li3euovr.fsf@nine.des.no> <20130903115050.GJ3796@zxy.spb.ru> <864na2ujh7.fsf@nine.des.no> <20130903142205.GL3796@zxy.spb.ru> Date: Tue, 03 Sep 2013 17:25:11 +0200 In-Reply-To: <20130903142205.GL3796@zxy.spb.ru> (Slawa Olhovchenkov's message of "Tue, 3 Sep 2013 18:22:05 +0400") Message-ID: <86mwnuszag.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Sep 2013 15:25:11 -0000 Slawa Olhovchenkov writes: > Dag-Erling Sm=C3=B8rgrav writes: > > Did you read *anything* that I wrote? > I read. May be I bad writing, sorry for my english. No, your English is fine, but I feel like I'm trying to explain to you that I want to replace a carburetted engine with an injection engine and you keep complaining about how hard it will be to fit the carburettor. I am *not* proposing to move PAM into a daemon. I am proposing something completely new. I thought I made that clear. > Application don't know about KRB5CCNAME (in general case). And > authenticate daemon don't know about KRB5CCNAME. How the demon can > learn about need to transfer KRB5CCNAME to application? KRB5CCNAME is an environment variable. OpenSSH already contains code that copies environment variables from the PAM child process to the main process. The problem is that at this point, the credentials are stored in a temporary cache within the process, rather than a persistent cache, and KRB5CCNAME is not yet set. The temporary cache is lost when the PAM child terminates, before pam_setcred() is called. > If called from application pam_krb5 change application environment or > context and application don't worry about changes. All be done by PAM > modules. Yes. PAM is crap. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no