OpenSSH, PAM and kerberos
Slawa Olhovchenkov
slw at zxy.spb.ru
Fri Aug 30 10:28:04 UTC 2013
On Fri, Aug 30, 2013 at 02:09:26PM +0400, Slawa Olhovchenkov wrote:
> On Fri, Aug 30, 2013 at 09:44:54AM +0200, Dag-Erling Sm??rgrav wrote:
>
> > Slawa Olhovchenkov <slw at zxy.spb.ru> writes:
> > > I am try to setup single sign-on and found this is imposuble due to
> > > bug in OpenSSH: currently sshd do pam_authenticate() and
> > > pam_acct_mgmt() from child process, but pam_setcred() from paren
> > > proccess. pam_krb5 in pam_sm_setcred() required information from
> > > pam_sm_authenticate and can't work corretly (can't create
> > > /tmp/krb5cc_NNNN, can't set envirompent KRB5CCNAME and so).
> >
> > PAM authentication in OpenSSH was broken for non-trivial cases when
> > privilege separation was implemented. Fixing it properly would be very
> > difficult.
>
> Same behaviour with 'UsePrivilegeSeparation no'.
>
This issuse not in privilege separation, this is because PAM
authentication use pthread emulation throw fork().
More information about the freebsd-security
mailing list