Kerberos password change patch

James F.Hranicky jfh at cise.ufl.edu
Wed Apr 23 03:44:02 EST 2003


On Tue, 22 Apr 2003 09:23:38 -0700
Frank Cusack <fcusack at fcusack.com> wrote:

> On Tue, Apr 22, 2003 at 11:21:21AM -0400, James F.Hranicky wrote:
> > Attached is a patch that allows for an interactive Kerberos password
> > change via keyboard-interactive,
> 
> Why don't you let PAM do it?

Too many problems trying to get the same PAM to work properly across multiple
platforms. I'm tired of putting reads from FIFO's in PAM modules to get
the debugger to stop in the correct dynamically loaded module to determine
why the program is coring, only to have other problems crop up when I move
say, from Solaris to Linux.

Plus, any problem you have you're debugging both the module and the 
implementation in the PAMified program, so it just seemed easier to cut
out the middleman and do it all in openssh.

> > Does anyone know if it's architecturally possible to get this code to
> > work under privsep, or rather, out from under privsep? Privsep is
> > a bit difficult to debug, but I'll keep plugging away if need be.
> > (Note, this patch is against 3.5p1, but the same problem happens when
> > 3.6p1 is patched with it).
> 
> There's been a patch proposed to make PAM (and kbd-int) work correctly
> under privsep.  IIRC, an import of FreeBSD code.

If I can get PAM w/password expiry working properly on Solaris and Linux,
I suppose I'd be happy. I've already dumped PAM for xdm and xlock, now
that I have kerberized versions of both, and xlock, xdm and openssh are
the only programs I'm going to bother doing password exp with. Any other
program will use PAM, without password expiration (courier IMAP, cups, etc).

Has anyone gotten PAM/Kerberos/password expiration working properly and 
consistently on Solaris and Linux?

If not, any pointers on privsep and my patch would be greatly appreciated,
although I'll be checking FreeBSD's PAM patch to see what they are doing
about it.

----------------------------------------------------------------------
| Jim Hranicky, Senior SysAdmin                   UF/CISE Department |
| E314D CSE Building                            Phone (352) 392-1499 |
| jfh at cise.ufl.edu                      http://www.cise.ufl.edu/~jfh |
----------------------------------------------------------------------

"Given a choice between a complex, difficult-to-understand, disconcerting
 explanation and a simplistic, comforting one, many prefer simplistic
 comfort if it's remotely plausible, especially if it involves blaming
 someone else for their problems."
                                                -- Bob Lewis, _Infoworld_




More information about the openssh-unix-dev mailing list