[Cc'ing pam-list@redhat.com] On Tue, Aug 28, 2001 at 11:45:40AM -0700, Darren J Moffat wrote: > On Tue, 28 Aug 2001, Stuart Lamble wrote: > > > To clarify why we're using PAM: the system in question is set up to > > communicate with a Kerberos server, with all authentication being done > > using Kerberos. It's somewhat easier to do all of that with PAM than to > > try to replace login, etc. > > Are you using the pam_krb5 module shipped with Solaris ? > Does pam_krb5 work properly for you when used with dtlogin or /bin/login (ie > login at the console). Looking at our copy of Solaris 2.6 an 8 source code I can see that Sun's pam_krb5 treats PAM_REINITIALIZE_CREDS and PAM_REFRESH_CREDS as synonyms. Also, not one Sun app uses PAM_REINITIALIZE_CREDS (ok, I haven't checked dtlogin's source code -- I could). > > There's also been the question of whether do_pam_setcred() should be called > > before or after the uid has been set to the user's. Changing the code to > > call do_pam_setcred() after the call to permanently_set_uid(), however, > > seems to make no difference to the crashing. > > It has to before you give up root creds since there are assumptions in > some PAM modules that it can do things only root can do (making private > nfs system calls to pass creds down to the kernel for use by NFS). Neither the Sun PAM documentation nor the Linux-PAM documentation describe the semantics of PAM_REINITIALIZE_CREDS in any useful detail. Could we please have a clarification on the semantics of PAM_CRED_ESTABLISH vs. the semantics of PAM_REINITIALIZE_CREDS? My guess, given what OpenSSH does with PAM: PAM_CRED_ESTABLISH means "make it so we can use your module's credentials as root" whereas PAM_REINITIALIZE_CREDS means "make it so we can use your module's credentials as pam_get_item(PAM_USER)." And, given what OpenSSH does, it seems that pam_setcred(PAM_REINITIALIZE_CREDS) should be called with (euid==0 || uid==0) and gid/egid/groups setup to be the PAM_USER's. But none of this is documented! As for PAM_KRB5, assuming my interpretation of PAM_REINITIALIZE_CREDS is correct, it should create a root-owned ccache when it's pam_sm_setcred() is called to PAM_CRED_ESTABLISH and it should create PAM_USER-owned ccache when it's pam_sm_setcred() is called to PAM_REINITIALIZE_CREDS. [...] > -- > Darren J Moffat The semantics of pam_setcred()'s flags must be documented, and possibly even agreed upon, before this problem can be closed. Cheers, Nico -- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments.