Bug#492039: libpam-krb5: ssh logins overwrite /tmp/krb5cc_0 (ccache documentation is wrong)

Wed, 23 Jul 2008 16:40:41 -0700 

On Wed, Jul 23, 2008 at 15:58 -0400, houck wrote:
> On Wed, Jul 23, 2008 at 12:23 -0700, Russ Allbery wrote:
> > John Houck <[EMAIL PROTECTED]> writes:
> > > The ccache option is supposed to allow customizing the name of the
> > > credentials file.  Regarding that option, the man page says:
> > >
> > >     This option can be set in krb5.conf and is only
> > >     applicable to the auth and session groups.
> > >
> > > This is incorrect -- ccache cannot be set in krb5.conf
> >
> > I'm not sure what to say other than "yes, it can."
> 
> I don't know what to say either.  I read and re-read all the
> docs I could find and tried numerous variations on the
> documented syntax for setting the ccache option in krb5.conf.
> None of that had any effect.
> 
> Setting ccache on the pam_krb5.so command line in
> /etc/pam.d/common-session solved the problem immediately.
> 
> If it will help, I'm happy to repeat the exercise with krb5.conf
> and send you any output or config files you'd like to see.

I can reproduce the problem by removing the pam_krb5.so entry
from /etc/pam.d/common-session (so I guess the real bug was
the fact that my earlier pam configuration omitted this line).

With that (broken) pam configuration, I use an /etc/krb5.conf
file that contains:

[appdefaults]
        ccache=FILE:/tmp/krb5cc_%u_XXXXXX
        pam =
        {
          debug = true
          ticket_lifetime = 43200
          renew_lifetime = 43200
          forwardable = true
          krb4_convert = false
        }

Logging in with ssh then creates this credentials file:

> ls -l /tmp/krb5cc*
-rw------- 1 houck houck 479 2008-07-23 19:05 /tmp/krb5cc_0

Here's the debug output from /var/log/auth.log:

  Accepted keyboard-interactive/pam for houck from xxx.xxx.xxx.xxx port 35914 
ssh2
  (pam_unix) session opened for user houck by (uid=0)
  (pam_krb5): none: pam_sm_setcred: entry (0x8)
  (pam_krb5): none: no context found, creating one
  (pam_krb5): houck: found initial ticket cache at /tmp/krb5cc_pam_J15925
  (pam_krb5): houck: refreshing ticket cache /tmp/krb5cc_0
  (pam_krb5): houck: initializing ticket cache /tmp/krb5cc_0
  (pam_krb5): houck: pam_sm_setcred: exit (success)

Since the ticket cache file name doesn't match the pattern specified
in krb5.conf, I concluded that the docs were wrong.

But if I now add the pam_krb5.so entry to /etc/pam.d/common-session
then the krb5.conf ccache specification is obeyed.

Perhaps I understand now, more or less.

Thanks,
-John




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to