4 messages in org.freebsd.freebsd-hackerstelnetd/sshd and Kerberos tickets (PAM)| From | Sent On | Attachments |
|---|---|---|
| Harti Brandt | Oct 21, 2005 7:08 am | |
| Stijn Hoop | Oct 21, 2005 7:24 am | |
| Harti Brandt | Oct 21, 2005 8:14 am | |
| Stijn Hoop | Nov 14, 2005 4:31 am |
| Subject: | telnetd/sshd and Kerberos tickets (PAM) | |
|---|---|---|
| From: | Stijn Hoop (sti...@win.tue.nl) | |
| Date: | Nov 14, 2005 4:31:42 am | |
| List: | org.freebsd.freebsd-hackers | |
On Fri, Oct 21, 2005 at 05:10:39PM +0200, Harti Brandt wrote:
On Fri, 21 Oct 2005, Stijn Hoop wrote: SH>On Fri, Oct 21, 2005 at 04:08:14PM +0200, Harti Brandt wrote: SH>> I have enabled the pam_krb5 module in pam.d/{login,telnetd,sshd}. When SH>> login in locally I get a Kerberos ticket as I would expect. When logging SH>> in via ssh or telnet I don't get one. I have digged around in the sources SH>> and it locks like telnetd never calls pam_setcred() which would do this SH>> work. My PAM-foo is rather limited so my question is: shouldn't sshd and SH>> telnetd call pam_setcred() somewhere? SH> SH>WRT sshd I bugged des@ about this but did not receive an answer :( See SH>the attached mail.
Hmm. I digged around a little bit and found something:
http://bugzilla.mindrot.org/show_bug.cgi?id=789
From a first glance it seems that this bug was introduced by fixing another bug.
I see. If I understand correctly, disabling privsep will fix it?
Still, I would really like to get an answer to my PAM question:
"Is it allowed for an application to only call pam_setcred with the PAM_REINITIALIZE_FLAG, while never having called it with PAM_ESTABLISH_CRED?"
Did you find out yet?
--Stijn
-- "An adult is a child who has more ethics and morals, that's all." -- Shigeru Miyamoto