I have a problem with libpam-heimdal (current sid, 1.2.0-1) on a client workstation running current sid, in that the credentials are misplaced(?) when I log in via ssh (from other machines as well as from the workstation itself.
The whole thing seems to work ok for local logins (kdm and console) where credentials are obtained and placed in a file, e.g. /tmp/krb5cc_abc123, and the value of the environment variable KRB5CCNAME is set to the corresponding filename. When I try to log in by ssh (sid, openssh 4.2) from the same machine to itself, or from other machines, there is a credentials cache left in /tmp, but it is owned by root:root and typically has a name /tmp/krb5cc_pam_123abc. The environment variable KRB5CCNAME is present but set to something totally different that is based on the uid and another random 6-character string, e.g. krb5cc_1003_3khU54. The credentials in the first file (owned by root) do indeed belong to the user who tried to log in, as checked by root with klist -c on the file. At first I thought part of the problem was that I have my user information in ldap, but I also tried to add a test user with password disabled (added instead a principal for [EMAIL PROTECTED] with password on kdc). The same problem exist for this user when trying with ssh while local logins work ok. Of course one can do a kinit to create a cache in the file pointed to by the KRB5CCNAME variable. This file is however not deleted on logout, a kdestroy is necessary. The files owned by root containing user credentials are not deleted at all it seems (how could they?). I don't think this is a configuration issue, but if so, please enlighten me. If it is a bug, which part is broken, libpam-heimdal or openssh? Or both? I have also tried to obtain detailed logging, but didn't figure out how to invoke _all_ logging statements in the source code of pam and libpam-heimdal, only a few by adding the debug option at some places in /etc/pam.d/common-*. How is this done properly? Anders P.S. An interesting case is when I log in with valid kerberos-tokens over ssh with gssapi. This works nicely and no password has to be typed, but the KRB5CCNAME variable is set to a name base on the uid, for example /tmp/krb5cc_1003, and no random string is attached, nor is there any credentials even though the original ticket is supposedly forwardable. Credential cache files are subsequently deleted when logging out of consoles, although not from kdm. This was supposedly fixed, see #344927, but the problem seems to persist, I can reproduce it here. According to pam_krb5(5), updated to 1.2.0, the intended naming of the cache seems to be /tmp/krb5cc_[uid]_[random]. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
