OpenSSH, PAM and kerberos
Lev Serebryakov
lev at FreeBSD.org
Tue Sep 3 10:50:39 UTC 2013
Hello, Slawa.
You wrote 3 сентября 2013 г., 14:39:22:
>> >> And how in this case can be resolved situation with PAM credentials
>> >> (Kerberos credentials in may case)?
>> DES> The application does not need them.
>> They are written to disk with pam_open_session() and this call should be
>> called by sshd, not some "authorization daemon", if I understand situation
>> right. Or don't I?
SO> Written to disk with pam_setcred(), not pam_open_session(). And yes,
SO> by sshd, after drop priveleges. And set KRB5CCNAME. "authorization
SO> daemon" can't be set environment in other process.
des@ suggests to have ability to pass env variables from authorization
daemon, but anyway, pam_setcred() should be called by shell process (or its
parent), and not any process in system, am I right?
--
// Black Lion AKA Lev Serebryakov <lev at FreeBSD.org>
More information about the freebsd-security
mailing list