Bug 162715

Summary: pam_krb5(8): pam_krb5 not storing tickets in /tmp
Product: Base System Reporter: Chris Telting <christoper>
Component: binAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed Not Accepted    
Severity: Affects Only Me CC: ansarm, des
Priority: Normal    
Version: Unspecified   
Hardware: Any   
OS: Any   

Description Chris Telting 2011-11-21 07:30:11 UTC
pam_krb5 authenticates when I have it enabled in pam.d but it fails before storing a ticket in /tmp.  I have tracked it down so far to pam_set_data/pam_get_data.

Everything appears to be good and working in pam_sm_authenticate, I can pam_get_data after it's set perfectly fine.

But in pam_sm_setcred in pam_krb5, which gets called after pam_sm_authenticate completes, pam_get_data fails to retrieve it's ccache data and fails.

Now I'm stumped where to look.

How-To-Repeat: setup kerberos so you can kinit and kdestroy from a machine. Then on that machine enable kerberos through:

auth  sufficient pam_krb5.so  debug no_warn try_first_pass

Do this to login or ssh in the auth section.  Use a different password for kerberos so you know what is authenticating.  Use PAM_DEBUG versions of libpam.so.5 and pam_krb5.so.5 to see messages in /var/log/debug.log
Comment 1 Ansar Mohammed 2015-02-01 06:16:20 UTC
I have repro'd the same issue. 

I was reviewing the apple code here :
http://www.opensource.apple.com/source/pam_modules/pam_modules-6/pam_krb5/pam_krb5.c
I think they were also trying to fix the same error as they replaced pam_get_data/pam_set_data with  pam_getenv/pam_setenv (but only halfway through the code)
Comment 2 Ansar Mohammed 2015-02-03 03:19:20 UTC
Ok I did some additional digging. 
It seems that this only happens with forking pam applications. For instance the "bug" manifests itself with sshd but not with login.

see this for a possible reason:

http://www.redhat.com/archives/pam-list/2007-September/msg00040.html

based on that it seems that pam_sm_authenticate and pam_sm_setcred are running in two different processes.
Comment 3 Dag-Erling Smørgrav freebsd_committer freebsd_triage 2015-12-17 20:09:06 UTC
This is specific to sshd.  It runs pam_open_session(3) in a different process than pam_authenticate(3), so the ticket that pam_krb5(8) received while executing the latter is not available when executing the former.  This is a fundamental flaw in (depending on who you ask) PAM, OpenSSH, or the way PAM is integrated into OpenSSH.