[Bug 127] New: PAM with ssh authentication and pam_krb5 doesn't work properly

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Feb 28 05:34:06 EST 2002


http://bugzilla.mindrot.org/show_bug.cgi?id=127

           Summary: PAM with ssh authentication and pam_krb5 doesn't work
                    properly
           Product: Portable OpenSSH
           Version: 3.0.2p1
          Platform: UltraSparc
        OS/Version: Solaris
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: openssh-unix-dev at mindrot.org
        ReportedBy: b_smith44 at hotmail.com


when using authenticating against pam_krb5 a user can only login when sshd is 
configured to use the system's login routine. the byproduct of this problem is 
that the user can not use X forwarding.

this patch fixes the problem by modifying the call to pam_setcred to only use 
the PAM_ESTABLISH_CRED flag.

users can now login (at least with solaris 8) with the pam.conf entry:

sshd  auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
sshd  auth sufficient /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass


*** auth-pam.c- Mon Feb 25 18:36:04 2002
--- auth-pam.c  Tue Feb 26 10:05:31 2002
***************
*** 297,304 ****
       do_pam_set_conv(&conv);

       debug("PAM establishing creds");
!       pam_retval = pam_setcred(__pamh,
!           init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED);
       if (pam_retval != PAM_SUCCESS) {
               if (was_authenticated)
                       fatal("PAM setcred failed[%d]: %.200s",
--- 297,303 ----
       do_pam_set_conv(&conv);

       debug("PAM establishing creds");
!       pam_retval = pam_setcred(__pamh, PAM_ESTABLISH_CRED);
       if (pam_retval != PAM_SUCCESS) {
               if (was_authenticated)
                       fatal("PAM setcred failed[%d]: %.200s",



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.



More information about the openssh-unix-dev mailing list