pam-krb5 2.6 released
Markus Moeller
huaraz at moeller.plus.com
Fri Dec 15 02:46:48 EST 2006
Russ,
yes I use MIT 1.3.1. I'll try your suggestion.
Thanks
Markus
"Russ Allbery" <rra at stanford.edu> wrote in message
news:87ac1q7zt3.fsf at windlord.stanford.edu...
> Markus Moeller <huaraz at moeller.plus.com> writes:
>
>> I have a setup where I have two domains with trust and would like to
>> have users from either domain to login to my Unix machine to
>> applications which can't use GSSAPI so I need to use pam_krb5 to have
>> some form of SSO. My Unix system is in DOMAIN1.COM which is configured
>> to be the default domain in krb5.conf . I configured pam (on Solaris
>> 2.8) as follows:
>
>> #authentication
>> other auth sufficient pam_krb5-2.6.so.1 minimum_uid=100 debug
>> other auth sufficient pam_krb5-2.6.so.1 minimum_uid=100
>> realm=DOMAIN2.COM use_first_pass debug
>> other auth required pam_unix.so.1 try_first_pass debug
>> # account
>> other account sufficient pam_krb5-2.6.so.1 minimum_uid=100 debug
>> other account sufficient pam_krb5-2.6.so.1 minimum_uid=100
>> realm=DOMAIN2.COM debug
>> other account required pam_unix.so.1 debug
>> # session
>> other session required pam_default.so.1 debug
>
>> The problem I have is that despite setting the realm to DOMAIN2.COM the
>> system always tries to connect to kdcs of DOMAIN1.COM never DOMAIN2.COM
>> despite getting an unknown user from DOMAIN1 for users of DOMAIN2 as it
>> should be. It seems that the kerberos context of the first
>> pam_sm_authenticate call is still used for the second despite changing
>> the realm.
>
> Yup, you're using MIT Kerberos 1.3 or earlier, aren't you. :)
>
> Someone else just helped me track this down. There's a bug in MIT
> Kerberos prior to 1.4 where the realm is stored in a static variable in
> the library and then reused even if you create a new context and change
> the default realm. I'm going to work around this in the next version of
> the PAM module.
>
> In the meantime, upgrading to 1.4 will fix this problem, but I know that
> may not be that viable if you're using RHEL. I don't have a patch for the
> problem yet that I've tested, but this compiles and should be close:
>
> === modified file 'support.c'
> --- support.c 2006-11-18 01:16:25 +0000
> +++ support.c 2006-12-15 00:43:04 +0000
> @@ -48,6 +48,36 @@
>
>
> /*
> + * Fill in ctx->princ from the value of ctx->name.
> + *
> + * This is a separate function rather than just calling krb5_parse_name
> so
> + * that we can work around a bug in MIT Kerberos prior to 1.4, which
> store the
> + * realm in a static variable inside the library and don't notice
> changes. If
> + * no realm is specified and a realm is set in our arguments, append the
> realm
> + * to force krb5_parse_name to do the right thing.
> + */
> +static krb5_error_code
> +parse_name(struct context *ctx, struct pam_args *args)
> +{
> + char *user = ctx->name;
> + size_t length;
> + krb5_error_code k5_errno;
> +
> + if (args->realm != NULL && strchr(ctx->name, '@') == NULL) {
> + length = strlen(ctx->name) + 1 + strlen(args->realm) + 1;
> + user = malloc(length);
> + if (user == NULL)
> + return KRB5_CC_NOMEM;
> + snprintf(user, length, "%s@%s", ctx->name, args->realm);
> + }
> + k5_errno = krb5_parse_name(ctx->context, user, &ctx->princ);
> + if (user != ctx->name)
> + free(user);
> + return k5_errno;
> +}
> +
> +
> +/*
> * Used to support trying each principal in the .k5login file. Read
> through
> * each line that parses correctly as a principal and use the provided
> * password to try to authenticate as that user. If at any point we
> succeed,
> @@ -90,11 +120,11 @@
> filename[len] = '\0';
> strncat(filename, "/.k5login", len - strlen(pwd->pw_dir));
>
> - /* If there is no file, do this the easy way. */
> + /*
> + * If there is no file, do this the easy way. Assume ctx->princ is
> + * already set properly.
> + */
> if (access(filename, R_OK) != 0) {
> - k5_errno = krb5_parse_name(ctx->context, ctx->name, &ctx->princ);
> - if (k5_errno != 0)
> - return PAM_SERVICE_ERR;
> *retval = krb5_get_init_creds_password(ctx->context, creds,
> ctx->princ, pass, pamk5_prompter_krb5, ctx->pamh, 0,
> in_tkt_service, opts);
> @@ -199,13 +229,27 @@
> krb5_get_init_creds_opt_set_renew_life(&opts,
> args->renew_lifetime);
>
> /* Fill in the principal to authenticate as. */
> - retval = krb5_parse_name(ctx->context, ctx->name, &ctx->princ);
> + retval = parse_name(ctx, args);
> if (retval != 0) {
> pamk5_debug_krb5(ctx, args, "krb5_parse_name", retval);
> retval = PAM_SERVICE_ERR;
> goto done;
> }
>
> + /* Log the principal we're attempting to authenticate as. */
> + if (args->debug) {
> + char *principal;
> +
> + retval = krb5_unparse_name(ctx->context, ctx->princ, &principal);
> + if (retval != 0)
> + pamk5_debug_krb5(ctx, args, "krb5_unparse_name", retval);
> + else {
> + pamk5_debug(ctx, args, "attempting authentication as %s",
> + principal);
> + free(principal);
> + }
> + }
> +
> /*
> * If try_first_pass or use_first_pass is set, grab the old password
> (if
> * set) instead of prompting. If try_first_pass is set, and the old
>
>
>
> --
> Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list