pam_krb5 / pam_sm_setcred not getting called with
PAM_ESTABLISH_CRED'
Stijn Hoop
stijn at win.tue.nl
Sat Sep 3 07:55:09 PDT 2005
On Sat, Sep 03, 2005 at 11:44:34AM +0200, Stijn Hoop wrote:
> I'm debugging a problem on 5-STABLE where I've setup a KDC using Heimdal
> in the base system, and activated pam_krb5 in /etc/pam.d/sshd. It turns out
> that pam_krb5 does not establish the credential cache for the authenticated
> user. After reinstalling pam with DEBUG & PAM_DEBUG, it turns out that
> pam_sm_setcred is only called with PAM_REINITIALIZE_CRED as flags, and
> never with PAM_ESTABLISH_CRED, which is the only case for which a credential
> cache will be saved (in all other cases, PAM_SUCCESS is returned immediately,
> which is why I don't have a cache).
Further digging reveals that this is due to the sshd code; it turns
out that unless PrivilegeSeparation is off, it will not 'establish'
credentials, only 'reinitialize' them. Found in src/crypto/openssh/auth-pam.c
and session.c. I really wouldn't know if this is appropriate or not, but it
seems confusing to me.
The second question still stands:
> - shouldn't pam_krb5 re-establish the credential cache when called with
> PAM_REINITIALIZE_CRED, instead of just returning PAM_SUCCESS? I'm a total
> pam newbie so I'm going only by the name of the flag; I couldn't find a
> manpage that made the semantics of these flags more clear.
Or of course someone pointing out the correct way to get an initialized
Kerberos 5 ticket cache upon succesful ssh login...
--Stijn
--
"Diane, 2:15 in the afternoon, November 14. Entering town of Twin Peaks.
Five miles south of the Canadian border, twelve miles west of the state
line. Never seen so many trees in my life. As W.C. Fields would say, I'd
rather be here than Philadelphia."
-- Special Agent Dale Cooper, "Twin Peaks"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-arch/attachments/20050903/ffc1cff5/attachment.bin
More information about the freebsd-arch
mailing list