kerberos, ssh, and solaris8
Jason Heiss
jheiss+news at ee.washington.edu
Fri May 10 19:16:19 EDT 2002
This is a multi-part message in MIME format.
--------------010609060007000508010106
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Simon Wilkinson wrote:
> Sam Hartman (hartmans at mit.edu) wrote:
> : This cannot be a Kerberos bug; the ssh patches are responsible for
> : ccache permissions.
>
> I suspect, from previous posts on this subject, that its an problem
> with the interaction between OpenSSH and the Solaris pam_krb5 module.
> If the original poster isn't using PAM for password authentication,
> I'll investigate further.
It is a bug in the Solaris pam_krb5. When OpenSSH calls
pam_setcred(pamh, PAM_REINITIALIZE_CRED) the valid ccache file written
out by pam_authenticate() is overwritten by a ccache containing no
ticket and owned by the effective UID of the calling process. I've
opened a support request with Sun but the engineer is out at training
this week.
You can work around it by by applying the attached patch to auth-pam.c
in OpenSSH, which just skips the call to pam_setcred in the REINITIALIZE
case.
Jason
--------------010609060007000508010106
Content-Type: text/plain;
name="auth-pam.c.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="auth-pam.c.diff"
*** auth-pam.c.orig Mon Feb 4 17:40:47 2002
--- auth-pam.c Thu Apr 25 16:36:15 2002
***************
*** 294,299 ****
--- 294,306 ----
{
int pam_retval;
+ /* Ignore requests to reinitialize due to bug in Solaris pam_krb5.
+ * Calls to pam_setcred(PAM_REINITIALIZE_CRED) write out invalid
+ * credential cache files in /tmp (wrong ownership and no ticket).
+ */
+ if (! init)
+ return;
+
do_pam_set_conv(&conv);
debug("PAM establishing creds");
--------------010609060007000508010106--
More information about the Kerberos
mailing list