Problems with PAM environments in ssh

Craig Gallek cgallek at
Fri May 13 08:12:09 EST 2005

I’ve stumbled across a rather obscure problem with ssh.  My machine is
setup to use Kerberos authentication, i.e., I use the pam_krb5 module in
the ssh auth section of the PAM configuration file and I have sshd
compiled to accept valid Kerberos 5 tickets as well.  I also use OpenAFS,
so I’ve got the pam_openafs_session module in the ssh session section of
the PAM configuration file.

Everything works as expected when I log in as a user that has not yet
obtained any Kerberos credentials.  The pam_krb5 module successfully
authenticates a user by prompting for a user name and password and obtains
tickets.  Then the pam_openafs_session module runs aklog and obtains AFS

When connecting to the machine as a user who has already obtained valid
Kerberos credentials, authentication occurs as expected (I’m not prompted
for a password) but pam_openafs_session fails to obtain AFS tokens.  I’m
using ssh protocol 2, so token passing is not possible (as far as I can
tell).  pam_openafs_session fails because the KRB5CCNAME variable is not
set in the PAM environment at the time the module is used.

In the successful case of authenticating with pam_krb5 via a password, the
pam_krb5 module successfully exports the KRB5CCNAME variable into the PAM
environment during the auth phase.  When authenticating with existing
Kerberos credentials, the pam_sm_authenticate function in the auth module
of pam_krb5 is never called by ssh, so it never has a chance to set

sshd eventually exports the KRB5CCNAME variable into the PAM environment,
but it doesn’t happen until the ssh_gssapi_krb5_storecred function, which
occurs after the call to do_pam_session is made during the
privsep_postauth process.

Here an outline of the code in the main function of sshd.c that outlines
the problem:

     * In privilege separation, we fork another child and prepare
     * file descriptor passing.
    if (use_privsep) {
/***** eventually calls do_pam_session *******/
        /* the monitor process [priv] will not return */
        if (!compat20)

    /* Start session. */
/******** eventually sets KRB5CCNAME in the PAM env ********/

    /* The connection has been terminated. */
    verbose("Closing connection to %.100s", remote_ip);

I’m not really sure what the proper solution to this problem is.  Should
the account module of pam_krb5 set this environment variable?  Should sshd
do it before calling the session code in pam_openafs_session??

Any suggestions are greatly appreciated.


More information about the openssh-unix-dev mailing list