Pending OpenSSH release, call for testing.

Douglas E. Engert deengert at anl.gov
Tue Aug 31 06:44:54 EST 2004 


Darren Tucker wrote:
> Darren Tucker wrote:
> 
>>     OpenSSH is getting ready for a release soon, so we are asking for 
>> all interested parties to test a snapshot.
> 
> 
> * ssh_gssapi_storecreds called to late for PAM (bug #918)
> Someone who knows krb5/gssapi want to comment on that one?
> 

(I wrote the bug report, but can comment on it as well.)

The idea is to pass on to a pam session routine
the KRB5CCNAME environment variable. This can be used with a
pam_openafs session routine to get a PAG and AFS token for example.

The KRB5CCNAME is the pointer to the Kerberos ticket cache with the
delegated credeltials from GSSAPI. the AFS aklog can use this to
get an AFS token.

gss-serv-krb5.c already had a call to do_pam_putenv to add the
KRB5CCNAME to the pam_environment. This was in 3.8. But the
call to ssh_gssapi_storecreds in session.c which eventually calls the
do_pam_putenv is called AFTER the do_pam_session. Thus the
KRB5CCNAME is not passed in to the pam session routine.

This mod moves the call to ssh_gssapi_storecreds before the
call to do_pam_session.

In the following traces, the pam_sm_open_session lines are written to
stderr by my test pam routine.

A sample trace without this mod:

Accepted gssapi-with-mic for uuuuuu from nnn.nnn.nnn.nnn port 40883 ssh2
pam_sm_open_session flag=0
pam_sm_open_session pid=16163 uid=0 euid=0
pam_sm_open_session, pw_dir=/afs/my.cell/usr/uuuuuu
pam_sm_open_session Kenv=(none)          <------------ no KRB5CCNAME
debug1: PAM: reinitializing credentials

With this mod:

Accepted gssapi-with-mic for uuuuuu from nnn.nnn.nnn.nnn port 1261 ssh2
debug1: temporarily_use_uid: 100/100 (e=0/100)
debug1: restore_uid: 0/100
pam_sm_open_session flag=0
pam_sm_open_session pid=15900 uid=0 euid=0
pam_sm_open_session, pw_dir=/afs/my.cell/usr/uuuuuu
pam_sm_open_session Kenv=FILE:/tmp/krb5cc_100_y15900 <---- found KRB5CCNAME
debug1: PAM: reinitializing credentials

Note: If this mod is added, even if the kafs lib is not available,
sshd can still be used with AFS. This would allow one
to use a vendor's build of OpenSSH even if not built with AFS.
One would not need to do a rebuild!  All that is need is for OpenAFS
to provide the pam session routine, thus making for a clean separation
of OpenSSH and OpenAFS. Eventually the USE_AFS code could be removed
from OpenSSH.

Unfortunately, if the system does not have PAM, then one would
still needs to use the older methods.

There are three ways a Kerberos ticket cache could be ceated
in OpenSSH:
  (1) delegated by the GSSAPI,
  (2) by ChallengeResponse and PAM,
  (3) created by the auth-krb5 from entering a user/password,

(1) is coverd by the above.
(2) can be taken care of internally by pam_krb5
(3) needs an aditional mod.

I can submit this mod as a bug for case (3) if you want.


--- ,auth-krb5.c	Sat Aug 14 08:55:37 2004
+++ auth-krb5.c	Mon Aug 30 14:31:30 2004
@@ -187,6 +187,11 @@
  	snprintf(authctxt->krb5_ccname, len, "FILE:%s",
  	    authctxt->krb5_ticket_file);

+#ifdef USE_PAM
+	if (options.use_pam)
+		do_pam_putenv("KRB5CCNAME",authctxt->krb5_ccname);
+#endif
+
   out:
  	restore_uid();



-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the openssh-unix-dev mailing list