Pending OpenSSH release, call for testing.
Markus Moeller
huaraz at moeller.plus.com
Wed Sep 1 19:05:22 EST 2004
Could you add to this release a patch which allows gssapi to be used on a multihomed server please ?
There have been several proposals in the past to fix this in
ssh_gssapi_acquire_cred
.
.
- if (gethostname(lname, MAXHOSTNAMELEN))
- return (-1);
+ lname = get_local_hostname(packet_get_connection_in());
.
.
Thank you
Markus
On Monday 30 August 2004 21:44, Douglas E. Engert wrote:
> Darren Tucker wrote:
> > Darren Tucker wrote:
> >> OpenSSH is getting ready for a release soon, so we are asking for
> >> all interested parties to test a snapshot.
> >
> > * ssh_gssapi_storecreds called to late for PAM (bug #918)
> > Someone who knows krb5/gssapi want to comment on that one?
>
> (I wrote the bug report, but can comment on it as well.)
>
> The idea is to pass on to a pam session routine
> the KRB5CCNAME environment variable. This can be used with a
> pam_openafs session routine to get a PAG and AFS token for example.
>
> The KRB5CCNAME is the pointer to the Kerberos ticket cache with the
> delegated credeltials from GSSAPI. the AFS aklog can use this to
> get an AFS token.
>
> gss-serv-krb5.c already had a call to do_pam_putenv to add the
> KRB5CCNAME to the pam_environment. This was in 3.8. But the
> call to ssh_gssapi_storecreds in session.c which eventually calls the
> do_pam_putenv is called AFTER the do_pam_session. Thus the
> KRB5CCNAME is not passed in to the pam session routine.
>
> This mod moves the call to ssh_gssapi_storecreds before the
> call to do_pam_session.
>
> In the following traces, the pam_sm_open_session lines are written to
> stderr by my test pam routine.
>
> A sample trace without this mod:
>
> Accepted gssapi-with-mic for uuuuuu from nnn.nnn.nnn.nnn port 40883 ssh2
> pam_sm_open_session flag=0
> pam_sm_open_session pid=16163 uid=0 euid=0
> pam_sm_open_session, pw_dir=/afs/my.cell/usr/uuuuuu
> pam_sm_open_session Kenv=(none) <------------ no KRB5CCNAME
> debug1: PAM: reinitializing credentials
>
> With this mod:
>
> Accepted gssapi-with-mic for uuuuuu from nnn.nnn.nnn.nnn port 1261 ssh2
> debug1: temporarily_use_uid: 100/100 (e=0/100)
> debug1: restore_uid: 0/100
> pam_sm_open_session flag=0
> pam_sm_open_session pid=15900 uid=0 euid=0
> pam_sm_open_session, pw_dir=/afs/my.cell/usr/uuuuuu
> pam_sm_open_session Kenv=FILE:/tmp/krb5cc_100_y15900 <---- found KRB5CCNAME
> debug1: PAM: reinitializing credentials
>
> Note: If this mod is added, even if the kafs lib is not available,
> sshd can still be used with AFS. This would allow one
> to use a vendor's build of OpenSSH even if not built with AFS.
> One would not need to do a rebuild! All that is need is for OpenAFS
> to provide the pam session routine, thus making for a clean separation
> of OpenSSH and OpenAFS. Eventually the USE_AFS code could be removed
> from OpenSSH.
>
> Unfortunately, if the system does not have PAM, then one would
> still needs to use the older methods.
>
> There are three ways a Kerberos ticket cache could be ceated
> in OpenSSH:
> (1) delegated by the GSSAPI,
> (2) by ChallengeResponse and PAM,
> (3) created by the auth-krb5 from entering a user/password,
>
> (1) is coverd by the above.
> (2) can be taken care of internally by pam_krb5
> (3) needs an aditional mod.
>
> I can submit this mod as a bug for case (3) if you want.
>
>
> --- ,auth-krb5.c Sat Aug 14 08:55:37 2004
> +++ auth-krb5.c Mon Aug 30 14:31:30 2004
> @@ -187,6 +187,11 @@
> snprintf(authctxt->krb5_ccname, len, "FILE:%s",
> authctxt->krb5_ticket_file);
>
> +#ifdef USE_PAM
> + if (options.use_pam)
> + do_pam_putenv("KRB5CCNAME",authctxt->krb5_ccname);
> +#endif
> +
> out:
> restore_uid();
More information about the openssh-unix-dev
mailing list