ports/118547: [patch] xdm fails with pam_krb5
Szalai Andras
andrew at kispest.home
Tue Dec 11 10:20:01 UTC 2007
>Number: 118547
>Category: ports
>Synopsis: [patch] xdm fails with pam_krb5
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Dec 11 10:20:01 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator: Szalai Andras
>Release: FreeBSD 6.1-RELEASE-p21 i386
>Organization:
none
>Environment:
System: FreeBSD tristania.kispest.home 6.1-RELEASE-p21 FreeBSD 6.1-RELEASE-p21 #2: Sat Dec 1 21:40:16 CET 2007 andrew at tristania.kispest.home:/disk/ad12p5/root.usr/src/sys/i386/compile/TRISTANIA i386
Kerberos KDC with a standard setup, nothing special.
XDM package version: xdm-1.1.6_2
/etc/pam.d/xdm:
---
auth include system
account include system
session include system
password include system
---
/etc/pam.d/system:
---
#auth requisite pam_unix.so no_warn
auth requisite pam_krb5.so ccache=FILE:/tmp/krb5cc_%u no_warn
auth requisite pam_nologin.so no_warn
account requisite pam_unix.so no_warn
account requisite pam_krb5.so no_warn
session requisite pam_lastlog.so no_warn
password requisite pam_passwdqc.so enforce=everyone
#password requisite pam_unix.so try_first_pass no_warn
password requisite pam_krb5.so try_first_pass no_warn
---
>Description:
When you try to login with a valid kerberos principal into XDM, you
get "Login incorrect" message.
/var/log/xdm.log says:
xdm error (pid XXX): pam_setcred failure: error in service module
XDM executes two pam_setcred calls. The first is in xdm-1.1.6/greeter/greet.c:
GreetUser()
[...]
RUN_AND_CHECK_PAM_ERROR(pam_setcred,
(*pamhp, 0));
^
So the flags is 0.
However, /usr/src/lib/libpam/modules/pam_krb5/pam_krb5.c contains:
pam_sm_setcred()
[...]
if (flags & PAM_DELETE_CRED)
return (PAM_SUCCESS);
if (flags & PAM_REFRESH_CRED)
return (PAM_SUCCESS);
if (flags & PAM_REINITIALIZE_CRED)
return (PAM_SUCCESS);
if (!(flags & PAM_ESTABLISH_CRED))
return (PAM_SERVICE_ERR);
So if flags is 0, you get PAM_SERVICE_ERR.
The second pam_setcred call is in xdm-1.1.6/session.c:
StartClient()
[...]
pam_error = pam_setcred (pamh, PAM_ESTABLISH_CRED);
I don't really know why the second pam_setcred call is neccessary.
>How-To-Repeat:
Install a kerberos KDC, and put pam_krb5 into pam config files.
>Fix:
I have created a patch which calls the first pam_setcred with
PAM_ESTABLISH_CRED and the second with PAM_REINITIALIZE_CRED parameter.
It may break other pam modules.
--- xdm-src.diff begins here ---
diff -ru xdm-1.1.6.orig/greeter/greet.c xdm-1.1.6.new/greeter/greet.c
--- xdm-1.1.6.orig/greeter/greet.c Wed May 30 20:03:38 2007
+++ xdm-1.1.6.new/greeter/greet.c Mon Dec 10 21:51:01 2007
@@ -567,7 +567,7 @@
}
RUN_AND_CHECK_PAM_ERROR(pam_setcred,
- (*pamhp, 0));
+ (*pamhp, PAM_ESTABLISH_CRED));
RUN_AND_CHECK_PAM_ERROR(pam_get_item,
(*pamhp, PAM_USER, (void *) &username));
if (username != NULL) {
diff -ru xdm-1.1.6.orig/session.c xdm-1.1.6.new/session.c
--- xdm-1.1.6.orig/session.c Thu May 24 19:30:26 2007
+++ xdm-1.1.6.new/session.c Mon Dec 10 21:50:59 2007
@@ -634,7 +634,8 @@
long i;
char **pam_env;
- pam_error = pam_setcred (pamh, PAM_ESTABLISH_CRED);
+ /* FIXME: pam_setcred is already called in greet.c. */
+ pam_error = pam_setcred (pamh, PAM_REINITIALIZE_CRED);
if (pam_error != PAM_SUCCESS) {
LogError ("pam_setcred for \"%s\" failed: %s\n",
name, pam_strerror(pamh, pam_error));
--- xdm-src.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list