On Fri, Oct 21, 2005 at 04:08:14PM +0200, Harti Brandt wrote:
> I have enabled the pam_krb5 module in pam.d/{login,telnetd,sshd}. When
> login in locally I get a Kerberos ticket as I would expect. When logging
> in via ssh or telnet I don't get one. I have digged around in the sources
> and it locks like telnetd never calls pam_setcred() which would do this
> work. My PAM-foo is rather limited so my question is: shouldn't sshd and
> telnetd call pam_setcred() somewhere?
WRT sshd I bugged des@ about this but did not receive an answer :( See
the attached mail.
--Stijn
--
There are of course many problems connected with life, of which some of
the most popular are 'Why are people born?', 'Why do they die?', and
`Why do they spend so much of the intervening time wearing digital
watches?'
-- Douglas Adams, "The Hitchhikers Guide To The Galaxy"
Hi, I sent this 2 weeks ago but got no response. Did I miss anything? I'd appreciate even a quick 'yes' or 'no' (although a pointer to more docs would also be nice). --Stijn ----- Forwarded message from Stijn Hoop <[EMAIL PROTECTED]> ----- From: Stijn Hoop <[EMAIL PROTECTED]> Date: Wed, 7 Sep 2005 20:48:09 +0200 To: [EMAIL PROTECTED] Subject: pam_krb5 / pam_sm_setcred not getting called with PAM_ESTABLISH_CRED Hi Dag-Erling, sorry to bother you directly but I can't find good info on PAM internals on the net. If you do have some pointers I'll gladly read more myself. In any case, the quick quick version of the problem is this: is it allowed for an application to only call pam_setcred with the PAM_REINITIALIZE_FLAG, while never having called it with PAM_ESTABLISH_CRED? More details below and in my other post to arch@ with the same subject. I would be obliged if you could answer this question. Thanks! --Stijn ----- Forwarded message from Stijn Hoop <[EMAIL PROTECTED]> ----- From: Stijn Hoop <[EMAIL PROTECTED]> Date: Sat, 3 Sep 2005 16:55:06 +0200 To: [EMAIL PROTECTED] Subject: Re: pam_krb5 / pam_sm_setcred not getting called with PAM_ESTABLISH_CRED' On Sat, Sep 03, 2005 at 11:44:34AM +0200, Stijn Hoop wrote: > I'm debugging a problem on 5-STABLE where I've setup a KDC using Heimdal > in the base system, and activated pam_krb5 in /etc/pam.d/sshd. It turns out > that pam_krb5 does not establish the credential cache for the authenticated > user. After reinstalling pam with DEBUG & PAM_DEBUG, it turns out that > pam_sm_setcred is only called with PAM_REINITIALIZE_CRED as flags, and > never with PAM_ESTABLISH_CRED, which is the only case for which a credential > cache will be saved (in all other cases, PAM_SUCCESS is returned immediately, > which is why I don't have a cache). Further digging reveals that this is due to the sshd code; it turns out that unless PrivilegeSeparation is off, it will not 'establish' credentials, only 'reinitialize' them. Found in src/crypto/openssh/auth-pam.c and session.c. I really wouldn't know if this is appropriate or not, but it seems confusing to me. The second question still stands: > - shouldn't pam_krb5 re-establish the credential cache when called with > PAM_REINITIALIZE_CRED, instead of just returning PAM_SUCCESS? I'm a total > pam newbie so I'm going only by the name of the flag; I couldn't find a > manpage that made the semantics of these flags more clear. Or of course someone pointing out the correct way to get an initialized Kerberos 5 ticket cache upon succesful ssh login... --Stijn ----- End forwarded message -----
pgpSISSw4MSHm.pgp
Description: PGP signature
