More fun with Russ' pam_krb5

Douglas E. Engert deengert at anl.gov
Wed Mar 12 09:35:32 EDT 2008 

Just as a side note, on Solaris 10, using Sun's pam_krb5, I could not figure
out how to get dtlogin to use a cache other then the default cache. I have
had arguments with the Solaris developers over the use of session vs user based
caches, but NFSv4 and the gssd appears to want to use the default cache, so
they don't want to change.

As such, I only use session based caches from SSH, and leave the console logins
to do their own thing and use the default. The problem you are seeing might be
that the KRB5CCNAME is not being set in dtlogin and/or not being passed to xscreensaver.





Coy Hile wrote:
> Okay, I think I've got my pam.conf sorted, but it still seems that xscreensaver is being weird.
> 
> Here is an excerpt from pam.conf for dtlogin:
> 
> |dtlogin-SunRay  auth requisite  pam_authtok_get.so.1
> |dtlogin-SunRay  auth required   pam_dhkeys.so.1 debug
> |dtlogin-SunRay  auth required   pam_unix_cred.so.1 debug
> |dtlogin-SunRay  auth optional   /krb5/lib/security/pam_krb5.so use_first_pass debug ccache=/tmp/krb5cc_%u_XXXXXX
> |dtlogin-SunRay  auth required   /krb5/lib/security/pam_afs_session.so debug
> |dtlogin-SunRay  auth optional   pam_unix_auth.so.1
> 
> which causes the following in syslog
> 
> Mar 11 20:22:55 ganymede dtlogin[22454]: [ID 584047 user.debug] (pam_krb5): none: <unknown>: entry (0x0)
> Mar 11 20:22:55 ganymede dtlogin[22454]: [ID 584047 user.debug] (pam_krb5): hile: attempting authentication as hile at COYHILE.COM
> Mar 11 20:22:55 ganymede dtlogin[22454]: [ID 584047 user.debug] (pam_krb5): hile: <unknown>: exit (success)
> Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 166327 user.debug] pam_dhkeys: user2netname failed
> Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 990244 auth.debug] pam_unix_cred: pam_sm_setcred(flags = 1, argc= 1)
> Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 990244 auth.debug] pam_unix_cred: pam_sm_setcred(flags = 1, argc= 1)
> Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 741634 auth.debug] pam_unix_cred: user = hile, rhost = NULL
> Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 741634 auth.debug] pam_unix_cred: user = hile, rhost = NULL
> Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 857698 auth.debug] pam_unix_cred: state = -1, auid = -2
> Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 857698 auth.debug] pam_unix_cred: state = -1, auid = -2
> Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 437940 auth.debug] pam_unix_cred: audit already set for -2
> Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 437940 auth.debug] pam_unix_cred: audit already set for -2
> Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 584047 user.debug] (pam_krb5): hile: <unknown>: entry (0x1)
> Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 584047 user.debug] (pam_krb5): hile: initializing ticket cache /tmp/krb5cc_1000_6vaOiS
> Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 584047 user.debug] (pam_krb5): hile: <unknown>: exit (success)
> Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 237248 user.debug] (pam_afs_session): <unknown>: entry (0x1)
> Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 237248 user.debug] (pam_afs_session): running /usr/afsws/bin/aklog as UID 1000
> Mar 11 20:22:55 ganymede dtlogin[22597]: [ID 237248 user.debug] (pam_afs_session): <unknown>: exit (success)
> 
> Now I couldn't care less what pam_unix_cred is debugging on about, but I figured I would include the whole log for completeness.
> 
> I note that the ticket cache is set up as I would expect it given my entries in pam.conf.   In xscreensaver, however, the plot thickens.  I've got the following in pam.conf for xscreensaver:
> 
> |xscreensaver    auth requisite  pam_authtok_get.so.1
> |xscreensaver    auth required   pam_dhkeys.so.1
> |xscreensaver    auth optional   /krb5/lib/security/pam_krb5.so use_first_pass debug ccache=/tmp/krb5cc_%u_XXXXXX
> |xscreensaver    auth required   /krb5/lib/security/pam_afs_session.so debug
> |xscreensaver    auth optional   pam_unix_auth.so.1
> 
> And I get the following in syslog:
> 
> Mar 11 20:24:52 ganymede xscreensaver[22746]: [ID 584047 user.debug] (pam_krb5): none: <unknown>: entry (0x1)
> Mar 11 20:24:52 ganymede xscreensaver[22746]: [ID 584047 user.debug] (pam_krb5): hile: attempting authentication as hile at COYHILE.COM
> Mar 11 20:24:52 ganymede xscreensaver[22746]: [ID 584047 user.debug] (pam_krb5): hile: <unknown>: exit (success)
> Mar 11 20:24:52 ganymede xscreensaver[22746]: [ID 584047 user.debug] (pam_krb5): hile: <unknown>: entry (0x8)
> Mar 11 20:24:52 ganymede xscreensaver[22746]: [ID 584047 user.debug] (pam_krb5): hile: refreshing ticket cache /tmp/krb5cc_1000
>         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Mar 11 20:24:52 ganymede xscreensaver[22746]: [ID 584047 user.debug] (pam_krb5): hile: <unknown>: exit (success)
> Mar 11 20:24:52 ganymede xscreensaver[22746]: [ID 237248 user.debug] (pam_afs_session): <unknown>: entry (0x8)
> Mar 11 20:24:52 ganymede xscreensaver[22746]: [ID 237248 user.debug] (pam_afs_session): running /usr/afsws/bin/aklog as UID 1000
> Mar 11 20:24:52 ganymede xscreensaver[22746]: [ID 237248 user.debug] (pam_afs_session): <unknown>: exit (success)
> 
> Notice the ticket cache mentioned above.
> 
> What am I missing to have xscreensaver updating the wrong ticket cache?
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list