Bug 127

Summary: PAM with ssh authentication and pam_krb5 doesn't work properly
Product: Portable OpenSSH Reporter: Bob Smith <b_smith44>
Component: sshdAssignee: OpenSSH Bugzilla mailing list <openssh-bugs>
Status: CLOSED INVALID    
Severity: normal CC: gunnar
Priority: P2    
Version: -current   
Hardware: UltraSPARC   
OS: Solaris   

Description Bob Smith 2002-02-28 05:34:02 AEDT
when using authenticating against pam_krb5 a user can only login when sshd is 
configured to use the system's login routine. the byproduct of this problem is 
that the user can not use X forwarding.

this patch fixes the problem by modifying the call to pam_setcred to only use 
the PAM_ESTABLISH_CRED flag.

users can now login (at least with solaris 8) with the pam.conf entry:

sshd  auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
sshd  auth sufficient /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass


*** auth-pam.c- Mon Feb 25 18:36:04 2002
--- auth-pam.c  Tue Feb 26 10:05:31 2002
***************
*** 297,304 ****
       do_pam_set_conv(&conv);

       debug("PAM establishing creds");
!       pam_retval = pam_setcred(__pamh,
!           init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED);
       if (pam_retval != PAM_SUCCESS) {
               if (was_authenticated)
                       fatal("PAM setcred failed[%d]: %.200s",
--- 297,303 ----
       do_pam_set_conv(&conv);

       debug("PAM establishing creds");
!       pam_retval = pam_setcred(__pamh, PAM_ESTABLISH_CRED);
       if (pam_retval != PAM_SUCCESS) {
               if (was_authenticated)
                       fatal("PAM setcred failed[%d]: %.200s",
Comment 1 Damien Miller 2003-01-07 17:13:10 AEDT
This fix is incorrect - the creds (which are often supplemental groups) need to
be  restablished after initgroups(), which we call elsewhere.

Does the PAM module not support restablishing credentials?
Comment 2 Damien Miller 2003-01-07 17:58:29 AEDT
*** Bug 128 has been marked as a duplicate of this bug. ***
Comment 3 Damien Miller 2003-01-07 17:58:54 AEDT
*** Bug 228 has been marked as a duplicate of this bug. ***
Comment 4 Damien Miller 2003-05-15 18:23:24 AEST
4 months, no reply = no bug
Comment 5 Damien Miller 2004-04-14 12:24:18 AEST
Mass change of RESOLVED bugs to CLOSED