ports/118547: [patch] xdm fails with pam_krb5

Tue Dec 11 10:20:01 UTC 2007

>Number:         118547
>Category:       ports
>Synopsis:       [patch] xdm fails with pam_krb5
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Dec 11 10:20:01 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator:     Szalai Andras
>Release:        FreeBSD 6.1-RELEASE-p21 i386
>Organization:
none
>Environment:
System: FreeBSD tristania.kispest.home 6.1-RELEASE-p21 FreeBSD 6.1-RELEASE-p21 #2: Sat Dec 1 21:40:16 CET 2007 andrew at tristania.kispest.home:/disk/ad12p5/root.usr/src/sys/i386/compile/TRISTANIA i386

Kerberos KDC with a standard setup, nothing special.

XDM package version: xdm-1.1.6_2

/etc/pam.d/xdm:
---
auth		include		system
account		include		system
session		include		system
password	include		system
---

/etc/pam.d/system:
---
#auth		requisite	pam_unix.so		no_warn
auth		requisite	pam_krb5.so		ccache=FILE:/tmp/krb5cc_%u no_warn
auth		requisite	pam_nologin.so		no_warn

account		requisite	pam_unix.so		no_warn
account		requisite	pam_krb5.so		no_warn

session		requisite	pam_lastlog.so		no_warn

password	requisite	pam_passwdqc.so		enforce=everyone
#password	requisite	pam_unix.so		try_first_pass no_warn
password	requisite	pam_krb5.so		try_first_pass no_warn
---

>Description:

When you try to login with a valid kerberos principal into XDM, you
get "Login incorrect" message.

/var/log/xdm.log says:
xdm error (pid XXX): pam_setcred failure: error in service module

XDM executes two pam_setcred calls. The first is in xdm-1.1.6/greeter/greet.c:

GreetUser()
[...]
	RUN_AND_CHECK_PAM_ERROR(pam_setcred,
				(*pamhp, 0));
                                         ^

So the flags is 0.

However, /usr/src/lib/libpam/modules/pam_krb5/pam_krb5.c contains:

pam_sm_setcred()
[...]
	if (flags & PAM_DELETE_CRED)
		return (PAM_SUCCESS);

	if (flags & PAM_REFRESH_CRED)
		return (PAM_SUCCESS);

	if (flags & PAM_REINITIALIZE_CRED)
		return (PAM_SUCCESS);

	if (!(flags & PAM_ESTABLISH_CRED))
		return (PAM_SERVICE_ERR);

So if flags is 0, you get PAM_SERVICE_ERR.

The second pam_setcred call is in xdm-1.1.6/session.c:

StartClient()
[...]
	    pam_error = pam_setcred (pamh, PAM_ESTABLISH_CRED);

I don't really know why the second pam_setcred call is neccessary.

>How-To-Repeat:

Install a kerberos KDC, and put pam_krb5 into pam config files.

>Fix:

I have created a patch which calls the first pam_setcred with
PAM_ESTABLISH_CRED and the second with PAM_REINITIALIZE_CRED parameter.
It may break other pam modules.

--- xdm-src.diff begins here ---
diff -ru xdm-1.1.6.orig/greeter/greet.c xdm-1.1.6.new/greeter/greet.c
--- xdm-1.1.6.orig/greeter/greet.c	Wed May 30 20:03:38 2007
+++ xdm-1.1.6.new/greeter/greet.c	Mon Dec 10 21:51:01 2007
@@ -567,7 +567,7 @@
 	}
 	
 	RUN_AND_CHECK_PAM_ERROR(pam_setcred,
-				(*pamhp, 0));
+				(*pamhp, PAM_ESTABLISH_CRED));
 	RUN_AND_CHECK_PAM_ERROR(pam_get_item,
 				(*pamhp, PAM_USER, (void *) &username));
 	if (username != NULL) {
diff -ru xdm-1.1.6.orig/session.c xdm-1.1.6.new/session.c
--- xdm-1.1.6.orig/session.c	Thu May 24 19:30:26 2007
+++ xdm-1.1.6.new/session.c	Mon Dec 10 21:50:59 2007
@@ -634,7 +634,8 @@
 	    long i;
 	    char **pam_env;
 
-	    pam_error = pam_setcred (pamh, PAM_ESTABLISH_CRED);
+	    /* FIXME: pam_setcred is already called in greet.c. */ 
+	    pam_error = pam_setcred (pamh, PAM_REINITIALIZE_CRED);
 	    if (pam_error != PAM_SUCCESS) {
 		LogError ("pam_setcred for \"%s\" failed: %s\n",
 			 name, pam_strerror(pamh, pam_error));
--- xdm-src.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:

