Possible security flaw in OpenSSH and/or pam_krb5

Darren Tucker dtucker at zip.com.au
Fri Jun 17 23:43:16 EST 2005


Stephen Frost wrote:
> This caught me slightly off-guard so I'd like to just double-check...
> As far as I'm aware it's not possible to duplicate what pam_krb5 does
> (takes a password, gets a TGT and a host/<fqdn> for the user and dumps
> it into their KRB5CCACHE) with OpenSSH today.

Does KerberosAuthentication=yes + PasswordAuthentication do what you 
want?  Since some time last year, auth_krb5_password() will put 
KRB5CCNAME where PAM can find it:

#ifdef USE_PAM
         if (options.use_pam)
                 do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname);
#endif

That's in 4.0p1 and 4.1p1 (from Doug Engert).

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.




More information about the openssh-unix-dev mailing list