Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 03 Sep 2013 17:25:11 +0200
From:      =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To:        Slawa Olhovchenkov <slw@zxy.spb.ru>
Cc:        freebsd-security@FreeBSD.org
Subject:   Re: OpenSSH, PAM and kerberos
Message-ID:  <86mwnuszag.fsf@nine.des.no>
In-Reply-To: <20130903142205.GL3796@zxy.spb.ru> (Slawa Olhovchenkov's message of "Tue, 3 Sep 2013 18:22:05 %2B0400")
References:  <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <20130903095316.GH3796@zxy.spb.ru> <86li3euovr.fsf@nine.des.no> <20130903115050.GJ3796@zxy.spb.ru> <864na2ujh7.fsf@nine.des.no> <20130903142205.GL3796@zxy.spb.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
Slawa Olhovchenkov <slw@zxy.spb.ru> writes:
> Dag-Erling Sm=C3=B8rgrav <des@des.no> writes:
> > Did you read *anything* that I wrote?
> I read. May be I bad writing, sorry for my english.

No, your English is fine, but I feel like I'm trying to explain to you
that I want to replace a carburetted engine with an injection engine and
you keep complaining about how hard it will be to fit the carburettor.

I am *not* proposing to move PAM into a daemon.  I am proposing
something completely new.  I thought I made that clear.

> Application don't know about KRB5CCNAME (in general case). And
> authenticate daemon don't know about KRB5CCNAME. How the demon can
> learn about need to transfer KRB5CCNAME to application?

KRB5CCNAME is an environment variable.  OpenSSH already contains code
that copies environment variables from the PAM child process to the main
process.  The problem is that at this point, the credentials are stored
in a temporary cache within the process, rather than a persistent cache,
and KRB5CCNAME is not yet set.  The temporary cache is lost when the PAM
child terminates, before pam_setcred() is called.

> If called from application pam_krb5 change application environment or
> context and application don't worry about changes. All be done by PAM
> modules.

Yes.  PAM is crap.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86mwnuszag.fsf>