OpenSSH, PAM and kerberos
Slawa Olhovchenkov
slw at zxy.spb.ru
Tue Sep 3 10:37:19 UTC 2013
On Tue, Sep 03, 2013 at 02:26:37PM +0400, Lev Serebryakov wrote:
> Hello, Dag-Erling.
> You wrote 3 сентября 2013 г., 13:38:48:
>
> >> And how in this case can be resolved situation with PAM credentials
> >> (Kerberos credentials in may case)?
> DES> The application does not need them.
> They are written to disk with pam_open_session() and this call should be
> called by sshd, not some "authorization daemon", if I understand situation
> right. Or don't I?
Written to disk with pam_setcred(), not pam_open_session(). And yes,
by sshd, after drop priveleges. And set KRB5CCNAME. "authorization
daemon" can't be set environment in other process.
More information about the freebsd-security
mailing list