OpenSSH, PAM and kerberos
Dag-Erling Smørgrav
des at des.no
Tue Sep 3 15:25:11 UTC 2013
Slawa Olhovchenkov <slw at zxy.spb.ru> writes:
> Dag-Erling Smørgrav <des at des.no> writes:
> > Did you read *anything* that I wrote?
> I read. May be I bad writing, sorry for my english.
No, your English is fine, but I feel like I'm trying to explain to you
that I want to replace a carburetted engine with an injection engine and
you keep complaining about how hard it will be to fit the carburettor.
I am *not* proposing to move PAM into a daemon. I am proposing
something completely new. I thought I made that clear.
> Application don't know about KRB5CCNAME (in general case). And
> authenticate daemon don't know about KRB5CCNAME. How the demon can
> learn about need to transfer KRB5CCNAME to application?
KRB5CCNAME is an environment variable. OpenSSH already contains code
that copies environment variables from the PAM child process to the main
process. The problem is that at this point, the credentials are stored
in a temporary cache within the process, rather than a persistent cache,
and KRB5CCNAME is not yet set. The temporary cache is lost when the PAM
child terminates, before pam_setcred() is called.
> If called from application pam_krb5 change application environment or
> context and application don't worry about changes. All be done by PAM
> modules.
Yes. PAM is crap.
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-security
mailing list