OpenSSH with Wilkinson patch on Mac OS X 10.2

Luke Howard lukeh at PADL.COM
Wed Oct 2 23:54:01 EDT 2002

>Sounds like the SessionCreate() API you mention should be used in
>pam_sm_acct_mgmt() in pam_securityserver; seems to me that it 
>would better to fix pam_securityserver rather than propgate
>proprietary Apple API into OpenSSH.

Sorry, I should have looked at the code closely before engaging

SessionCreate() is used in pam_sm_authenticate(). In any case,
the proper place for this would seem to be pam_sm_setcred() or
pam_sm_open_session(). There are some rather cryptic comments
in pam_securityserver.c as to why this is not done:

/* pam_sm_setcred:
 * The purpose of this function is to set the user's "credentials".
 * This function is invoked only *after* the user has been authenticated.
 * AFAIK, PAM's ideas of "credentials" is taking any information the
 * authentication token has and making that available to the calling
 * program through pam_set_data().  This can also be an opportunity
 * to make additional information available to the authentication token.
 * Since our SecurityServer token doesn't know anything more about
 * the user or environment than the calling program does, this essentially
 * checks the authentication token to ensure that it is still valid.
 * We could also give some additional information to the SecurityServer,
 * but apparently the SecurityServer doesn't actually use or allow the
 * retrieval of that information at this time.

-- Luke

Luke Howard | PADL Software Pty Ltd |

More information about the krbdev mailing list