Date: Fri, 30 Aug 2013 09:44:54 +0200 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: Slawa Olhovchenkov <slw@zxy.spb.ru> Cc: freebsd-security@FreeBSD.org Subject: Re: OpenSSH, PAM and kerberos Message-ID: <86d2ovy64p.fsf@nine.des.no> In-Reply-To: <20130829004844.GA70584@zxy.spb.ru> (Slawa Olhovchenkov's message of "Thu, 29 Aug 2013 04:48:44 %2B0400") References: <20130829004844.GA70584@zxy.spb.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Slawa Olhovchenkov <slw@zxy.spb.ru> writes: > I am try to setup single sign-on and found this is imposuble due to > bug in OpenSSH: currently sshd do pam_authenticate() and > pam_acct_mgmt() from child process, but pam_setcred() from paren > proccess. pam_krb5 in pam_sm_setcred() required information from > pam_sm_authenticate and can't work corretly (can't create > /tmp/krb5cc_NNNN, can't set envirompent KRB5CCNAME and so). PAM authentication in OpenSSH was broken for non-trivial cases when privilege separation was implemented. Fixing it properly would be very difficult. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86d2ovy64p.fsf>