OpenSSHd barfs upon reauthentication: PAM, Solaris 8

Darren J Moffat darrenm at eng.sun.com
Wed Aug 29 04:45:40 EST 2001


On Tue, 28 Aug 2001, Stuart Lamble wrote:

> To clarify why we're using PAM: the system in question is set up to
> communicate with a Kerberos server, with all authentication being done
> using Kerberos. It's somewhat easier to do all of that with PAM than to
> try to replace login, etc.

Are you using the pam_krb5 module shipped with Solaris ?
Does pam_krb5 work properly for you when used with dtlogin or /bin/login (ie
login at the console).
 
> There's also been the question of whether do_pam_setcred() should be called
> before or after the uid has been set to the user's. Changing the code to
> call do_pam_setcred() after the call to permanently_set_uid(), however,
> seems to make no difference to the crashing.

It has to before you give up root creds since there are assumptions in
some PAM modules that it can do things only root can do (making private
nfs system calls to pass creds down to the kernel for use by NFS).
 
Does sshd work for you when you use pam_unix instead of pam_krb5 ?

Are you using only pam_krb5 ?
Are you doing authentication via PAM or via publickey ? (This I think is
could be the critical part because I have a feeling there is an assumption
in the pam_krb5 module that pam_sm_setcred is only being called after 
pam_sm_authenticate.

--
Darren J Moffat




More information about the openssh-unix-dev mailing list