telnetd/sshd and Kerberos tickets (PAM)

Stijn Hoop stijn at
Mon Nov 14 12:31:51 GMT 2005

On Fri, Oct 21, 2005 at 05:10:39PM +0200, Harti Brandt wrote:
> On Fri, 21 Oct 2005, Stijn Hoop wrote:
> SH>On Fri, Oct 21, 2005 at 04:08:14PM +0200, Harti Brandt wrote:
> SH>> I have enabled the pam_krb5 module in pam.d/{login,telnetd,sshd}. When 
> SH>> login in locally I get a Kerberos ticket as I would expect. When logging 
> SH>> in via ssh or telnet I don't get one. I have digged around in the sources 
> SH>> and it locks like telnetd never calls pam_setcred() which would do this 
> SH>> work. My PAM-foo is rather limited so my question is: shouldn't sshd and 
> SH>> telnetd call pam_setcred() somewhere?
> SH>
> SH>WRT sshd I bugged des@ about this but did not receive an answer :( See
> SH>the attached mail.
> Hmm. I digged around a little bit and found something:
> From a first glance it seems that this bug was introduced by fixing 
> another bug.

I see. If I understand correctly, disabling privsep will fix it?

Still, I would really like to get an answer to my PAM question:

"Is it allowed for an application to only call pam_setcred with the
PAM_REINITIALIZE_FLAG, while never having called it with PAM_ESTABLISH_CRED?"

Did you find out yet?


"An adult is a child who has more ethics and morals, that's all."
		-- Shigeru Miyamoto
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :

More information about the freebsd-hackers mailing list