OpenSSHd barfs upon reauthentication: PAM, Solaris 8

[Stuart Lamble]

> On Tue, 28 Aug 2001, Stuart Lamble wrote:
> 
> > To clarify why we're using PAM: the system in question is set up to
> > communicate with a Kerberos server, with all authentication being done
> > using Kerberos. It's somewhat easier to do all of that with PAM than to
> > try to replace login, etc.
> 
> Are you using the pam_krb5 module shipped with Solaris ?

Yes.

> Does pam_krb5 work properly for you when used with dtlogin or /bin/login (ie
> login at the console).

It seemed to; it certainly didn't die in the way that ssh did.

> > There's also been the question of whether do_pam_setcred() should be called
> > before or after the uid has been set to the user's. Changing the code to
> > call do_pam_setcred() after the call to permanently_set_uid(), however,
> > seems to make no difference to the crashing.
> 
> It has to before you give up root creds since there are assumptions in
> some PAM modules that it can do things only root can do (making private
> nfs system calls to pass creds down to the kernel for use by NFS).

Hrm. Then this is a bit of a problem -- if the pam stuff is called as root,
the kerberos module writes out the TGT in /tmp as owned by root, rather than
by the user it represents. This raises obvious problems with renewing and
destroying the ticket, and probably other, rather more subtle problems too.

> Does sshd work for you when you use pam_unix instead of pam_krb5 ?

Yes, both normally, and in the way that normally fails with ssh (pretty
sure I described it in the original email, but it's outlined below just
in case.)

> Are you using only pam_krb5 ?

There is a fallback to unix (pam_unix.so.1 is listed as "sufficient",
before the kerberos authentication). Actually... *clickety clickety*
nope, putting kerberos authentication as "sufficient" prior to the
standard pam_unix ("required") doesn't solve the problem. If anything,
it makes it worse (impossible to ssh in as root). *puts everything
back so that pam_unix is called first*

Note that removing pam_unix from the list is not really an option, since
that's how we authenticate root (although I suppose we could leave it so
that we ssh in as the user, and then su to root... that's something to
discuss with the other sysadmins, if necessary.)

> Are you doing authentication via PAM or via publickey ? (This I think is
> could be the critical part because I have a feeling there is an assumption
> in the pam_krb5 module that pam_sm_setcred is only being called after 
> pam_sm_authenticate.

Via PAM (ie: ssh in, it asks me for a password [NOT a passphrase], I give
it an invalid password followed by a valid password ==> bang. I give it
a valid password ==> everything works happily.) I haven't yet set up an
ssh private/public keypair for myself.

Again, many thanks,

Stuart.