telnetd/sshd and Kerberos tickets (PAM)
Stijn Hoop
stijn at win.tue.nl
Mon Nov 14 12:31:51 GMT 2005
On Fri, Oct 21, 2005 at 05:10:39PM +0200, Harti Brandt wrote:
> On Fri, 21 Oct 2005, Stijn Hoop wrote:
> SH>On Fri, Oct 21, 2005 at 04:08:14PM +0200, Harti Brandt wrote:
> SH>> I have enabled the pam_krb5 module in pam.d/{login,telnetd,sshd}. When
> SH>> login in locally I get a Kerberos ticket as I would expect. When logging
> SH>> in via ssh or telnet I don't get one. I have digged around in the sources
> SH>> and it locks like telnetd never calls pam_setcred() which would do this
> SH>> work. My PAM-foo is rather limited so my question is: shouldn't sshd and
> SH>> telnetd call pam_setcred() somewhere?
> SH>
> SH>WRT sshd I bugged des@ about this but did not receive an answer :( See
> SH>the attached mail.
>
> Hmm. I digged around a little bit and found something:
>
> http://bugzilla.mindrot.org/show_bug.cgi?id=789
>
> From a first glance it seems that this bug was introduced by fixing
> another bug.
I see. If I understand correctly, disabling privsep will fix it?
Still, I would really like to get an answer to my PAM question:
"Is it allowed for an application to only call pam_setcred with the
PAM_REINITIALIZE_FLAG, while never having called it with PAM_ESTABLISH_CRED?"
Did you find out yet?
--Stijn
--
"An adult is a child who has more ethics and morals, that's all."
-- Shigeru Miyamoto
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20051114/940865b5/attachment.bin
More information about the freebsd-hackers
mailing list