kerberos, ssh, and solaris8

Jason Heiss jheiss+news at ee.washington.edu
Fri May 10 19:16:19 EDT 2002


This is a multi-part message in MIME format.
--------------010609060007000508010106
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Simon Wilkinson wrote:
> Sam Hartman (hartmans at mit.edu) wrote:
> : This cannot be a Kerberos bug; the ssh patches are responsible for
> : ccache permissions.
> 
> I suspect, from previous posts on this subject, that its an problem
> with the interaction between OpenSSH and the Solaris pam_krb5 module.
> If the original poster isn't using PAM for password authentication,
> I'll investigate further.

It is a bug in the Solaris pam_krb5.  When OpenSSH calls 
pam_setcred(pamh, PAM_REINITIALIZE_CRED) the valid ccache file written 
out by pam_authenticate() is overwritten by a ccache containing no 
ticket and owned by the effective UID of the calling process.  I've 
opened a support request with Sun but the engineer is out at training 
this week.

You can work around it by by applying the attached patch to auth-pam.c 
in OpenSSH, which just skips the call to pam_setcred in the REINITIALIZE 
case.

Jason

--------------010609060007000508010106
Content-Type: text/plain;
 name="auth-pam.c.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="auth-pam.c.diff"

*** auth-pam.c.orig	Mon Feb  4 17:40:47 2002
--- auth-pam.c	Thu Apr 25 16:36:15 2002
***************
*** 294,299 ****
--- 294,306 ----
  {
  	int pam_retval;
  
+ 	/* Ignore requests to reinitialize due to bug in Solaris pam_krb5.
+ 	 * Calls to pam_setcred(PAM_REINITIALIZE_CRED) write out invalid
+ 	 * credential cache files in /tmp (wrong ownership and no ticket).
+ 	 */
+ 	if (! init)
+ 		return;
+ 
  	do_pam_set_conv(&conv);
  
  	debug("PAM establishing creds");

--------------010609060007000508010106--




More information about the Kerberos mailing list