Problem using pam_krb5 + sshd on Solaris
Josef Kelbler
kelbler at vumscomp.cz
Thu Nov 21 12:14:35 EST 2002
Thanks Paraq for information that you use sshd with PrivilegeSeparation.
I also installed it and my problem is resolved.
I think in the pam_krb5 there is a fault.
I tested pam_krb5 module with several configuration, debugging it and got
results:
Server UID GID EUID EGID
------------------------------------------------------------------------
Telnetd 0 10 1005 10
Sshd 0 1 1005 1 (no separation)
Sshd 1005 10 1005 10 (with separation with user sshd)
Here 1005 is ID of connecting some_user.
Group 10 is staff.
Group 1 is other.
pam_krb5 creates CCache in /etc/krb5cc_1005. It creates it with EUID.
For sshd without separation the created file /etc/krb5cc_1005 had:
-rw --- --- some_user other
Then pam_krb5 changes by means of "chown()" ownership and group to users:
here to some_user and staff.
This chown() hands back error.
I think by means of this EUID=1005 and EGID=1 there is not possible change
this file.
> It's 8.45 pm here in India and I am about to leave
> for home. I have already got two calls from my
> mother.
I have your time minus 5 hours.
I live in Czech Republic in Prague.
Cheers
Josef
More information about the Kerberos
mailing list