Summary: | pam_krb5(8): pam_krb5 not storing tickets in /tmp | ||
---|---|---|---|
Product: | Base System | Reporter: | Chris Telting <christoper> |
Component: | bin | Assignee: | freebsd-bugs (Nobody) <bugs> |
Status: | Closed Not Accepted | ||
Severity: | Affects Only Me | CC: | ansarm, des |
Priority: | Normal | ||
Version: | Unspecified | ||
Hardware: | Any | ||
OS: | Any |
Description
Chris Telting
2011-11-21 07:30:11 UTC
I have repro'd the same issue. I was reviewing the apple code here : http://www.opensource.apple.com/source/pam_modules/pam_modules-6/pam_krb5/pam_krb5.c I think they were also trying to fix the same error as they replaced pam_get_data/pam_set_data with pam_getenv/pam_setenv (but only halfway through the code) Ok I did some additional digging. It seems that this only happens with forking pam applications. For instance the "bug" manifests itself with sshd but not with login. see this for a possible reason: http://www.redhat.com/archives/pam-list/2007-September/msg00040.html based on that it seems that pam_sm_authenticate and pam_sm_setcred are running in two different processes. This is specific to sshd. It runs pam_open_session(3) in a different process than pam_authenticate(3), so the ticket that pam_krb5(8) received while executing the latter is not available when executing the former. This is a fundamental flaw in (depending on who you ask) PAM, OpenSSH, or the way PAM is integrated into OpenSSH. |