Problems with PAM environments in ssh
Craig Gallek
cgallek at gmail.com
Fri May 13 08:12:09 EST 2005
Ive stumbled across a rather obscure problem with ssh. My machine is
setup to use Kerberos authentication, i.e., I use the pam_krb5 module in
the ssh auth section of the PAM configuration file and I have sshd
compiled to accept valid Kerberos 5 tickets as well. I also use OpenAFS,
so Ive got the pam_openafs_session module in the ssh session section of
the PAM configuration file.
Everything works as expected when I log in as a user that has not yet
obtained any Kerberos credentials. The pam_krb5 module successfully
authenticates a user by prompting for a user name and password and obtains
tickets. Then the pam_openafs_session module runs aklog and obtains AFS
tokens.
When connecting to the machine as a user who has already obtained valid
Kerberos credentials, authentication occurs as expected (Im not prompted
for a password) but pam_openafs_session fails to obtain AFS tokens. Im
using ssh protocol 2, so token passing is not possible (as far as I can
tell). pam_openafs_session fails because the KRB5CCNAME variable is not
set in the PAM environment at the time the module is used.
In the successful case of authenticating with pam_krb5 via a password, the
pam_krb5 module successfully exports the KRB5CCNAME variable into the PAM
environment during the auth phase. When authenticating with existing
Kerberos credentials, the pam_sm_authenticate function in the auth module
of pam_krb5 is never called by ssh, so it never has a chance to set
KRB5CCNAME.
sshd eventually exports the KRB5CCNAME variable into the PAM environment,
but it doesnt happen until the ssh_gssapi_krb5_storecred function, which
occurs after the call to do_pam_session is made during the
privsep_postauth process.
Here an outline of the code in the main function of sshd.c that outlines
the problem:
authenticated:
/*
* In privilege separation, we fork another child and prepare
* file descriptor passing.
*/
if (use_privsep) {
/***** eventually calls do_pam_session *******/
privsep_postauth(authctxt);
/* the monitor process [priv] will not return */
if (!compat20)
destroy_sensitive_data();
}
/* Start session. */
/******** eventually sets KRB5CCNAME in the PAM env ********/
do_authenticated(authctxt);
/* The connection has been terminated. */
verbose("Closing connection to %.100s", remote_ip);
Im not really sure what the proper solution to this problem is. Should
the account module of pam_krb5 set this environment variable? Should sshd
do it before calling the session code in pam_openafs_session??
Any suggestions are greatly appreciated.
Thanks,
Craig
More information about the openssh-unix-dev
mailing list