[28825] in Kerberos
Re: pam-krb5 3.9 released
daemon@ATHENA.MIT.EDU (Markus Moeller)
Sat Dec 1 10:54:40 2007
To: kerberos@mit.edu
From: "Markus Moeller" <huaraz@moeller.plus.com>
Date: Sat, 1 Dec 2007 15:26:09 -0000
Message-ID: <firuf1$tqe$1@ger.gmane.org>
X-Complaints-To: usenet@ger.gmane.org
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Russ,
I have a problem with pam_sm_setcred when authenticating non local users. I
have in my pam file the following
application auth required pam-krb5-3.9 no_ccache
application account required pam-krb5-3.9 no_ccache
application session required pam_dummy
to authenticate users of an application with Kerberos. Unfortunatly the
application uses also a pam_setcred and pam_sm_open/close_session calls and
pam_sm_setcred fails because in pam_sm_setcred the pamret =
pamk5_context_fetch(args) call fails and sets the return code to 24 (Module
specific data not found). You nicely jump over getpwnam when no_ccache is
selected but I think in the case of no_ccache a failure of
pamk5_context_fetch shouldn't be fatal.
Can this be changed in the next release ?
Thank you
Markus
int
pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
struct context *ctx = NULL;
struct pam_args *args;
krb5_ccache cache = NULL;
char *cache_name = NULL;
int reinit = 0, status = 0;
int pamret, allow;
struct passwd *pw = NULL;
uid_t uid;
gid_t gid;
args = pamk5_args_parse(pamh, flags, argc, argv);
if (args == NULL) {
pamk5_error(NULL, "cannot allocate memory: %s", strerror(errno));
pamret = PAM_SERVICE_ERR;
goto done;
}
pamret = pamk5_context_fetch(args);
ENTRY(args, flags);
/*
* Special case. Just free the context data, which will destroy the
* ticket cache as well.
*/
if (flags & PAM_DELETE_CRED) {
pamret = pam_set_data(pamh, "pam_krb5", NULL, NULL);
args->ctx = NULL;
goto done;
}
/* If configured not to create a cache, we have nothing to do. */
if (args->no_ccache)
goto done;
....
done:
if (cache != NULL)
krb5_cc_destroy(ctx->context, cache);
if (cache_name != NULL)
free(cache_name);
EXIT(args, pamret);
pamk5_args_free(args);
return pamret;
}
"Russ Allbery" <rra@stanford.edu> wrote in message
news:87pryfdkmc.fsf@windlord.stanford.edu...
> I'm pleased to announce release 3.9 of pam-krb5.
>
> pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
> It supports ticket refreshing by screen savers, configurable authorization
> handling, authentication of non-local accounts for network services,
> password changing, and password expiration, as well as all the standard
> expected PAM features. It works correctly with OpenSSH, even with
> ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
> supports configuration either by PAM options or in krb5.conf or both.
>
> Changes from previous release:
>
> If use_authtok is set, fail even if we can retrieve the stored PAM
> password if that password is set to NULL. Apparently that can happen
> in some cases, such as with pam_cracklib. Thanks to Christian Holler
> for the diagnosis and a patch.
>
> Add a new clear_on_fail option for the password group. If set, when a
> password change fails, set PAM_AUTHTOK to NULL so that subsequent
> modules in the PAM stack with use_authtok set will also fail. Just
> returning failure doesn't abort the stack on the second pass when
> actual password changes are made. This is not the default since it
> interferes with other desirable PAM configurations. It's useful
> primarily when using the PAM stack to synchronize passwords between
> multiple environments. Thanks to Christian Holler and Tomas Mraz for
> the analysis.
>
> Fix portability issues with Heimdal, versions of PAM that don't
> provide pam_modutil_getpwnam, and compiler warnings when building
> PKINIT support. Thanks, Martin von Gagern.
>
> Fix parsing of the keytab PAM option. Thanks, Markus Moeller.
>
> Return PAM_AUTHINFO_UNAVAIL instead of PAM_AUTH_ERR when unable to
> resolve the Kerberos realm. Thanks, Frank Cornelissen.
>
> Add a new debugging section to the README.
>
> You can download it from:
>
> <http://www.eyrie.org/~eagle/software/pam-krb5/>
>
> Debian packages have been uploaded to Debian unstable.
>
> Please let me know of any problems or feature requests not already listed
> in the TODO file.
>
> --
> Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
