when using authenticating against pam_krb5 a user can only login when sshd is configured to use the system's login routine. the byproduct of this problem is that the user can not use X forwarding. this patch fixes the problem by modifying the call to pam_setcred to only use the PAM_ESTABLISH_CRED flag. users can now login (at least with solaris 8) with the pam.conf entry: sshd auth sufficient /usr/lib/security/$ISA/pam_unix.so.1 sshd auth sufficient /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass *** auth-pam.c- Mon Feb 25 18:36:04 2002 --- auth-pam.c Tue Feb 26 10:05:31 2002 *************** *** 297,304 **** do_pam_set_conv(&conv); debug("PAM establishing creds"); ! pam_retval = pam_setcred(__pamh, ! init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED); if (pam_retval != PAM_SUCCESS) { if (was_authenticated) fatal("PAM setcred failed[%d]: %.200s", --- 297,303 ---- do_pam_set_conv(&conv); debug("PAM establishing creds"); ! pam_retval = pam_setcred(__pamh, PAM_ESTABLISH_CRED); if (pam_retval != PAM_SUCCESS) { if (was_authenticated) fatal("PAM setcred failed[%d]: %.200s",
This fix is incorrect - the creds (which are often supplemental groups) need to be restablished after initgroups(), which we call elsewhere. Does the PAM module not support restablishing credentials?
*** Bug 128 has been marked as a duplicate of this bug. ***
*** Bug 228 has been marked as a duplicate of this bug. ***
4 months, no reply = no bug
Mass change of RESOLVED bugs to CLOSED