[Bug 1339] New: pam_dhkeys doesn't work ( PAM_REINITIALIZE_CRED without PAM_ESTABLISH_CRED)
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Fri Jul 13 23:25:54 EST 2007
http://bugzilla.mindrot.org/show_bug.cgi?id=1339
Summary: pam_dhkeys doesn't work (PAM_REINITIALIZE_CRED without
PAM_ESTABLISH_CRED)
Product: Portable OpenSSH
Version: 4.6p1
Platform: Sparc
OS/Version: Solaris
Status: NEW
Severity: normal
Priority: P2
Component: PAM support
AssignedTo: bitbucket at mindrot.org
ReportedBy: David.Leonard at quest.com
This bug is a consequence of the fix applied in bug 789.
When using keyboard-interactive to login through OpenSSH to a Solaris 8
NIS+/PAM host, the automatic 'keylogin' feature of the pam_dhkeys PAM
module disappears. It's not so bad; the workaround is to run keylogin
manually once at a shell.
debug3: PAM: opening session
debug1: PAM: reinitializing credentials
The cause seems to be that the pam_dhkeys.so module ignores the
PAM_REINITIALIZE_CRED flag passed by OpenSSH to pam_setcred(). If I
make it pass PAM_ESTABLISH_CRED instead, then it works fine.
The PAM_REINITIALIZE_CRED feature was added to fix when initgroups()
stomped on when pam_setcred() had already been called from early on in
do_exec_[no]_pty():
date: 2001-03-27 16:12:24 +1000; author: djm; state: Exp; lines: +4
-3;
- (djm) Reestablish PAM credentials (which can be supplemental group
memberships) after initgroups() blows them away. Report and
suggested
fix from Nalin Dahyabhai <nalin at redhat.com>
But, the early call to pam_setcred() was later disabled in bug 789 to
make linux pam_group.so work.
There seems to be much confusion over the purpose of pam_setcred(), but
I think it is safe to say that openssh should call setcred(ESTABLISH)
instead of setcred(REINITIALIZE) if setcred(ESTABLISH) has never been
called before.
--
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list