pam_krb5 / pam_sm_setcred not getting called with PAM_ESTABLISH_CRED
Stijn Hoop
stijn at win.tue.nl
Sat Sep 3 02:44:37 PDT 2005
Hi,
I'm debugging a problem on 5-STABLE where I've setup a KDC using Heimdal
in the base system, and activated pam_krb5 in /etc/pam.d/sshd. It turns out
that pam_krb5 does not establish the credential cache for the authenticated
user. After reinstalling pam with DEBUG & PAM_DEBUG, it turns out that
pam_sm_setcred is only called with PAM_REINITIALIZE_CRED as flags, and
never with PAM_ESTABLISH_CRED, which is the only case for which a credential
cache will be saved (in all other cases, PAM_SUCCESS is returned immediately,
which is why I don't have a cache).
My questions:
- is this due to my pam setup? I've used the default /etc/pam.d/ssh while
uncommenting the pam_krb5 entries, and I've also tried having only pam_krb5
as being required for all types. Both setups did not make any difference.
- shouldn't pam_krb5 re-establish the credential cache when called with
PAM_REINITIALIZE_CRED, instead of just returning PAM_SUCCESS? I'm a total
pam newbie so I'm going only by the name of the flag; I couldn't find a
manpage that made the semantics of these flags more clear.
--Stijn
--
"What if everything you see is more than what you see -- the person next to
you is a warrior and the space that appears empty is a secret door to another
world? What if something appears that shouldn't? You either dismiss it, or you
accept that there is much more to the world than you think. Perhaps it really
is a doorway, and if you choose to go inside, you'll find many unexpected
things."
-- Shigeru Miyamoto
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-arch/attachments/20050903/5124ce3b/attachment.bin
More information about the freebsd-arch
mailing list