Possible security flaw in OpenSSH and/or pam_krb5
Darren Tucker
dtucker at zip.com.au
Fri Jun 17 23:43:16 EST 2005
Stephen Frost wrote:
> This caught me slightly off-guard so I'd like to just double-check...
> As far as I'm aware it's not possible to duplicate what pam_krb5 does
> (takes a password, gets a TGT and a host/<fqdn> for the user and dumps
> it into their KRB5CCACHE) with OpenSSH today.
Does KerberosAuthentication=yes + PasswordAuthentication do what you
want? Since some time last year, auth_krb5_password() will put
KRB5CCNAME where PAM can find it:
#ifdef USE_PAM
if (options.use_pam)
do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname);
#endif
That's in 4.0p1 and 4.1p1 (from Doug Engert).
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list