which krb5 PAM module on Solaris 8?

Balazs GAL balsa at rit.bme.hu
Fri Aug 1 18:48:16 EDT 2003 

Sam Hartman írta:
> I think that the PAM module with the most potential is the one in the
> Linux-PAM repository on sourceforge.  I'm not sure it's really usable
> in its current form.

In what state is it? :

gcc -c  -fpic -g -O2 -I/usr/include -I/usr/include pam_krb5_auth.c
pam_krb5_auth.c:123:45: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:132:67: pasting "pam_krb5_log" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:167:39: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:175:35: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:183:35: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:187:38: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:209:71: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:212:50: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:224:77: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:247:50: pasting "pam_krb5_log" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:253:47: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:268:35: pasting "pam_krb5_log" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:297:57: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:301:38: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:332:50: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:340:54: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:360:39: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:363:70: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:367:51: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:374:51: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:380:70: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:405:30: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:412:34: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:420:34: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:427:64: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:434:45: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
make: *** [pam_krb5_auth.o] Error 1


Or something from it's mail archive:
http://mailman.mit.edu/pipermail/kerberos/2003-February/002556.html

"""

It appears I've stumbled across a security hole in pam_krb5-1.0.3 . This 
occurs in the latest cvs found at

	pserver:anonymous at cvs.sourceforge.net:/cvsroot/pam

When I use the module above on a Solaris 8 machine, I get the following
behavior:

   <jfh at waterspout:/cise/sys/src0/jfh/kerberos/pam_krb5-1.0> 1876 : 
su - jfhmtest
   Password for jfhmtest at CISE.UFL.EDU:
   waterspout% id
   uid=0(root) gid=50(stdnt) euid=7048(jfhmtest)

The uid of the target user is 0, instead of 7048 .

[...]

"""


I dont say, that this is not a great tool.

The authors of it are excellent peoples with very good knowledge!

It's GREAT, but not maintained since 2001.


balsa

More information about the Kerberos mailing list