Problems with PAM environments in ssh

Craig Gallek cgallek at gmail.com
Fri May 13 08:12:09 EST 2005 

I’ve stumbled across a rather obscure problem with ssh.  My machine is
setup to use Kerberos authentication, i.e., I use the pam_krb5 module in
the ssh auth section of the PAM configuration file and I have sshd
compiled to accept valid Kerberos 5 tickets as well.  I also use OpenAFS,
so I’ve got the pam_openafs_session module in the ssh session section of
the PAM configuration file.

Everything works as expected when I log in as a user that has not yet
obtained any Kerberos credentials.  The pam_krb5 module successfully
authenticates a user by prompting for a user name and password and obtains
tickets.  Then the pam_openafs_session module runs aklog and obtains AFS
tokens.

When connecting to the machine as a user who has already obtained valid
Kerberos credentials, authentication occurs as expected (I’m not prompted
for a password) but pam_openafs_session fails to obtain AFS tokens.  I’m
using ssh protocol 2, so token passing is not possible (as far as I can
tell).  pam_openafs_session fails because the KRB5CCNAME variable is not
set in the PAM environment at the time the module is used.

In the successful case of authenticating with pam_krb5 via a password, the
pam_krb5 module successfully exports the KRB5CCNAME variable into the PAM
environment during the auth phase.  When authenticating with existing
Kerberos credentials, the pam_sm_authenticate function in the auth module
of pam_krb5 is never called by ssh, so it never has a chance to set
KRB5CCNAME.

sshd eventually exports the KRB5CCNAME variable into the PAM environment,
but it doesn’t happen until the ssh_gssapi_krb5_storecred function, which
occurs after the call to do_pam_session is made during the
privsep_postauth process.

Here an outline of the code in the main function of sshd.c that outlines
the problem:

authenticated:
    /*
     * In privilege separation, we fork another child and prepare
     * file descriptor passing.
     */
    if (use_privsep) {
/***** eventually calls do_pam_session *******/
        privsep_postauth(authctxt);
        /* the monitor process [priv] will not return */
        if (!compat20)
            destroy_sensitive_data();
    }

    /* Start session. */
/******** eventually sets KRB5CCNAME in the PAM env ********/
    do_authenticated(authctxt);

    /* The connection has been terminated. */
    verbose("Closing connection to %.100s", remote_ip);

I’m not really sure what the proper solution to this problem is.  Should
the account module of pam_krb5 set this environment variable?  Should sshd
do it before calling the session code in pam_openafs_session??

Any suggestions are greatly appreciated.

Thanks,
Craig

More information about the openssh-unix-dev mailing list