libpam-krb5 on Ubuntu 8.04 with MIT Kerberos and PKINIT
Douglas E. Engert
deengert at anl.gov
Thu May 15 15:52:10 EDT 2008
Russ Allbery wrote:
> "Douglas E. Engert" <deengert at anl.gov> writes:
>> I was trying to get the PKINIT working on Ubuntu 8.04
>> which comes with:
>> libpam-krb5 3.10-1
>> krb5-pkinit 1.6.dfsg.3~beta1-2ubuntu1
>> I had to make a change to the libpam-krb5 auth.c to remove a test for
>> a bug that appears to be fixed in krb5-1.6.3 I just changed the #ifdef
>> to not include the call to clear out the opts structure.
> The bug was fixed in 1.6.3, but I didn't think it was fixed in such a way
> as to make that code break anything. Not running that fixed something?
The pkinit would not work with the call krb5_get_init_creds_opt_init(opts)
code being called. It looks like it sets the
opt->flag = KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT
and thus looses the KRB5_GET_INIT_CREDS_OPT_EXTENDED flag. Not sure
if krb5_get_init_creds_opt_set_pa failed or stored something.
In any case, the PKINIT worked when I remove the call the
> Does MIT now do what Heimdal does and zero out the allocated memory as
> well when one runs opt_init?
I believe so, it looks like calloc is used by krb5int_gic_opte_alloc and
krb5int_gic_opte_private_alloc in 1.6.3-beta1
I would hope one of the MIT people could comment.
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the krbdev