Bug 162715 - pam_krb5(8): pam_krb5 not storing tickets in /tmp
Summary: pam_krb5(8): pam_krb5 not storing tickets in /tmp
Status: Closed Not Accepted
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: Unspecified
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-11-21 07:30 UTC by Chris Telting
Modified: 2015-12-17 20:09 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Telting 2011-11-21 07:30:11 UTC
pam_krb5 authenticates when I have it enabled in pam.d but it fails before storing a ticket in /tmp.  I have tracked it down so far to pam_set_data/pam_get_data.

Everything appears to be good and working in pam_sm_authenticate, I can pam_get_data after it's set perfectly fine.

But in pam_sm_setcred in pam_krb5, which gets called after pam_sm_authenticate completes, pam_get_data fails to retrieve it's ccache data and fails.

Now I'm stumped where to look.

How-To-Repeat: setup kerberos so you can kinit and kdestroy from a machine. Then on that machine enable kerberos through:

auth  sufficient pam_krb5.so  debug no_warn try_first_pass

Do this to login or ssh in the auth section.  Use a different password for kerberos so you know what is authenticating.  Use PAM_DEBUG versions of libpam.so.5 and pam_krb5.so.5 to see messages in /var/log/debug.log
Comment 1 Ansar Mohammed 2015-02-01 06:16:20 UTC
I have repro'd the same issue. 

I was reviewing the apple code here :
http://www.opensource.apple.com/source/pam_modules/pam_modules-6/pam_krb5/pam_krb5.c
I think they were also trying to fix the same error as they replaced pam_get_data/pam_set_data with  pam_getenv/pam_setenv (but only halfway through the code)
Comment 2 Ansar Mohammed 2015-02-03 03:19:20 UTC
Ok I did some additional digging. 
It seems that this only happens with forking pam applications. For instance the "bug" manifests itself with sshd but not with login.

see this for a possible reason:

http://www.redhat.com/archives/pam-list/2007-September/msg00040.html

based on that it seems that pam_sm_authenticate and pam_sm_setcred are running in two different processes.
Comment 3 Dag-Erling Smørgrav freebsd_committer 2015-12-17 20:09:06 UTC
This is specific to sshd.  It runs pam_open_session(3) in a different process than pam_authenticate(3), so the ticket that pam_krb5(8) received while executing the latter is not available when executing the former.  This is a fundamental flaw in (depending on who you ask) PAM, OpenSSH, or the way PAM is integrated into OpenSSH.