[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pam_krb5+Debian's login+telnet breaks!

On Sun, Nov 19, 2000 at 11:55:29AM +0100, Johan Danielsson wrote:
> Brian May <bam@snoopy.apana.org.au> writes:
> > Ohh - and something else. If I change:
> > 
> > auth       required pam_krb5.so
> > 
> > to:
> > 
> > auth       sufficient pam_krb5.so 
> > auth       required   pam_unix.so nullok
> > 
> > it works too.
> If it requires some authentication it should probably ask for a
> password even with -f, no? Can't say I know how PAM's supposed to
> work.

FWIW, Sun's /bin/login skips pam_authenticate() if -f && ruid == 0.

The issue then is where should pam_krb5 find any forwarded credentials.
MIT's telnetd/login.krb5 use a ccache named after a PID (e.g.,
/tmp/krb5cc_p12345) to communicate forwarded credentials between telnetd
and login.krb5. I suspect Sun's implementation does the same thing, only
with pam_krb5 instead of login.krb5.

BTW, there is a safe, portable way to handle the /tmp ccache create/
rename/chown issue. When telnetd creates the ccache it should do so as
root and using (O_RDWR|O_CREATE|O_EXCL) then it should stat()/fstat()/
lstat() the fildes/filename to make sure they are the same file after
the open and NOT a symlink. login.krb5/pam_krb5 should act similarly
prior to chowning/renaming the ccache or it should create a new ccache
as the user then add the credentials to it retrieved from the first
ccache (which should be removed).

> /Johan