| Summary: | PAM with ssh authentication and pam_krb5 doesn't work properly | ||
|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Bob Smith <b_smith44> |
| Component: | sshd | Assignee: | OpenSSH Bugzilla mailing list <openssh-bugs> |
| Status: | CLOSED INVALID | ||
| Severity: | normal | CC: | gunnar |
| Priority: | P2 | ||
| Version: | -current | ||
| Hardware: | UltraSPARC | ||
| OS: | Solaris | ||
This fix is incorrect - the creds (which are often supplemental groups) need to be restablished after initgroups(), which we call elsewhere. Does the PAM module not support restablishing credentials? *** Bug 128 has been marked as a duplicate of this bug. *** *** Bug 228 has been marked as a duplicate of this bug. *** 4 months, no reply = no bug Mass change of RESOLVED bugs to CLOSED |
when using authenticating against pam_krb5 a user can only login when sshd is configured to use the system's login routine. the byproduct of this problem is that the user can not use X forwarding. this patch fixes the problem by modifying the call to pam_setcred to only use the PAM_ESTABLISH_CRED flag. users can now login (at least with solaris 8) with the pam.conf entry: sshd auth sufficient /usr/lib/security/$ISA/pam_unix.so.1 sshd auth sufficient /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass *** auth-pam.c- Mon Feb 25 18:36:04 2002 --- auth-pam.c Tue Feb 26 10:05:31 2002 *************** *** 297,304 **** do_pam_set_conv(&conv); debug("PAM establishing creds"); ! pam_retval = pam_setcred(__pamh, ! init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED); if (pam_retval != PAM_SUCCESS) { if (was_authenticated) fatal("PAM setcred failed[%d]: %.200s", --- 297,303 ---- do_pam_set_conv(&conv); debug("PAM establishing creds"); ! pam_retval = pam_setcred(__pamh, PAM_ESTABLISH_CRED); if (pam_retval != PAM_SUCCESS) { if (was_authenticated) fatal("PAM setcred failed[%d]: %.200s",