pam-krb5 3.9 released

Markus Moeller huaraz at moeller.plus.com
Sat Dec 1 10:26:09 EST 2007 

Russ,

I have a problem with pam_sm_setcred when authenticating non local users. I 
have in my pam file the following

application auth required pam-krb5-3.9 no_ccache
application account required pam-krb5-3.9 no_ccache
application session required pam_dummy

to authenticate users of an application with Kerberos. Unfortunatly the 
application uses also a pam_setcred and pam_sm_open/close_session calls and 
pam_sm_setcred fails because in pam_sm_setcred the  pamret = 
pamk5_context_fetch(args) call  fails and sets the return code to 24 (Module 
specific data not found). You nicely jump over getpwnam when no_ccache is 
selected but I think in the case of no_ccache a failure of 
pamk5_context_fetch shouldn't be fatal.

Can this be changed in the next release ?

Thank you
Markus

int
pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
    struct context *ctx = NULL;
    struct pam_args *args;
    krb5_ccache cache = NULL;
    char *cache_name = NULL;
    int reinit = 0, status = 0;
    int pamret, allow;
    struct passwd *pw = NULL;
    uid_t uid;
    gid_t gid;

    args = pamk5_args_parse(pamh, flags, argc, argv);
    if (args == NULL) {
        pamk5_error(NULL, "cannot allocate memory: %s", strerror(errno));
        pamret = PAM_SERVICE_ERR;
        goto done;
    }
    pamret = pamk5_context_fetch(args);
    ENTRY(args, flags);

    /*
     * Special case.  Just free the context data, which will destroy the
     * ticket cache as well.
     */
    if (flags & PAM_DELETE_CRED) {
        pamret = pam_set_data(pamh, "pam_krb5", NULL, NULL);
        args->ctx = NULL;
        goto done;
    }

    /* If configured not to create a cache, we have nothing to do. */
    if (args->no_ccache)
        goto done;

....
done:
    if (cache != NULL)
        krb5_cc_destroy(ctx->context, cache);
    if (cache_name != NULL)
        free(cache_name);
    EXIT(args, pamret);
    pamk5_args_free(args);
    return pamret;
}



"Russ Allbery" <rra at stanford.edu> wrote in message 
news:87pryfdkmc.fsf at windlord.stanford.edu...
> I'm pleased to announce release 3.9 of pam-krb5.
>
> pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
> It supports ticket refreshing by screen savers, configurable authorization
> handling, authentication of non-local accounts for network services,
> password changing, and password expiration, as well as all the standard
> expected PAM features.  It works correctly with OpenSSH, even with
> ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
> supports configuration either by PAM options or in krb5.conf or both.
>
> Changes from previous release:
>
>    If use_authtok is set, fail even if we can retrieve the stored PAM
>    password if that password is set to NULL.  Apparently that can happen
>    in some cases, such as with pam_cracklib.  Thanks to Christian Holler
>    for the diagnosis and a patch.
>
>    Add a new clear_on_fail option for the password group.  If set, when a
>    password change fails, set PAM_AUTHTOK to NULL so that subsequent
>    modules in the PAM stack with use_authtok set will also fail.  Just
>    returning failure doesn't abort the stack on the second pass when
>    actual password changes are made.  This is not the default since it
>    interferes with other desirable PAM configurations.  It's useful
>    primarily when using the PAM stack to synchronize passwords between
>    multiple environments.  Thanks to Christian Holler and Tomas Mraz for
>    the analysis.
>
>    Fix portability issues with Heimdal, versions of PAM that don't
>    provide pam_modutil_getpwnam, and compiler warnings when building
>    PKINIT support.  Thanks, Martin von Gagern.
>
>    Fix parsing of the keytab PAM option.  Thanks, Markus Moeller.
>
>    Return PAM_AUTHINFO_UNAVAIL instead of PAM_AUTH_ERR when unable to
>    resolve the Kerberos realm.  Thanks, Frank Cornelissen.
>
>    Add a new debugging section to the README.
>
> You can download it from:
>
>    <http://www.eyrie.org/~eagle/software/pam-krb5/>
>
> Debian packages have been uploaded to Debian unstable.
>
> Please let me know of any problems or feature requests not already listed
> in the TODO file.
>
> -- 
> Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list