[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

missing functionality in pam_krb5 ?

To: <heimdal-discuss@sics.se>
Subject: missing functionality in pam_krb5 ?
From: Wolfgang Friebel <friebel@ifh.de>
Date: Tue, 30 Jul 2002 16:04:15 +0200 (MEST)
Sender: owner-heimdal-discuss@sics.se

I am using Balazs GAL's pam_krb5-1_56-1-heimdal-1_2-2.tar.gz pam
implementation for use with Heimdal and OpenAFS.

It works properly, when session management is involved like e.g. with
sshd. But when applications like xlock or screensaver are used it
seems not to do what I expect (and what the OpenAFS pam is providing).

In my opinion when authenticating against apps like xlock one should

1) obtain a new or refreshed K5 TGT (optionally a K4 one as well)
2) obtain a new AFS token.

As no new session is started, I would expect to have updated the original
ticket caches and calling setpag has to be avoided.

As xlock is not calling pam_sm_setcred, it has to be forced by setting
the pam option tokens (or get_tokens or force_cred). Even then
pam_sm_setcred is not called, because in line 1949 of pam_krb5afs.c the
variable stash->have_v4_creds is not set:

    if (RC_OK && config->setcred && stash->have_v4_creds) {

This variable would get set in the preceding block, which is executed
only if config->native_krb4_tgt is true (this is not the case).

Even after stash->have_v4_creds is set then the unconditional setpag call
around line 2407 is preventing the AFS token to persist.

Did I miss something or was this functionality left out on purpose?


Wolfgang Friebel

Follow-Ups:
- Re: missing functionality in pam_krb5 ?
  - From: Balazs GAL <balsa@rit.bme.hu>

Prev by Date: Kerberos authentication in HTTP
Next by Date: Re: missing functionality in pam_krb5 ?
Prev by thread: Kerberos authentication in HTTP
Next by thread: Re: missing functionality in pam_krb5 ?
Index(es):
- Date
- Thread