reinit_creds (was Re: OpenSSHd barfs upon reauthentication: PAM, Solaris 8)

Nicolas Williams Nicolas.Williams at ubsw.com
Thu Sep 6 05:18:20 EST 2001


[Cc'ing pam-list at redhat.com]

On Tue, Aug 28, 2001 at 11:45:40AM -0700, Darren J Moffat wrote:
> On Tue, 28 Aug 2001, Stuart Lamble wrote:
> 
> > To clarify why we're using PAM: the system in question is set up to
> > communicate with a Kerberos server, with all authentication being done
> > using Kerberos. It's somewhat easier to do all of that with PAM than to
> > try to replace login, etc.
> 
> Are you using the pam_krb5 module shipped with Solaris ?
> Does pam_krb5 work properly for you when used with dtlogin or /bin/login (ie
> login at the console).

Looking at our copy of Solaris 2.6 an 8 source code I can see that Sun's
pam_krb5 treats PAM_REINITIALIZE_CREDS and PAM_REFRESH_CREDS as
synonyms. Also, not one Sun app uses PAM_REINITIALIZE_CREDS (ok, I
haven't checked dtlogin's source code -- I could).

> > There's also been the question of whether do_pam_setcred() should be called
> > before or after the uid has been set to the user's. Changing the code to
> > call do_pam_setcred() after the call to permanently_set_uid(), however,
> > seems to make no difference to the crashing.
> 
> It has to before you give up root creds since there are assumptions in
> some PAM modules that it can do things only root can do (making private
> nfs system calls to pass creds down to the kernel for use by NFS).

Neither the Sun PAM documentation nor the Linux-PAM documentation
describe the semantics of PAM_REINITIALIZE_CREDS in any useful detail.

Could we please have a clarification on the semantics of
PAM_CRED_ESTABLISH vs. the semantics of PAM_REINITIALIZE_CREDS?

My guess, given what OpenSSH does with PAM: PAM_CRED_ESTABLISH means
"make it so we can use your module's credentials as root" whereas
PAM_REINITIALIZE_CREDS means "make it so we can use your module's
credentials as pam_get_item(PAM_USER)."

And, given what OpenSSH does, it seems that
pam_setcred(PAM_REINITIALIZE_CREDS) should be called with
(euid==0 || uid==0) and gid/egid/groups setup to be the PAM_USER's.

But none of this is documented!

As for PAM_KRB5, assuming my interpretation of PAM_REINITIALIZE_CREDS is
correct, it should create a root-owned ccache when it's pam_sm_setcred()
is called to PAM_CRED_ESTABLISH and it should create PAM_USER-owned
ccache when it's pam_sm_setcred() is called to PAM_REINITIALIZE_CREDS.

[...]
> --
> Darren J Moffat

The semantics of pam_setcred()'s flags must be documented, and possibly
even agreed upon, before this problem can be closed.

Cheers,

Nico
--

Visit our website at http://www.ubswarburg.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.




More information about the openssh-unix-dev mailing list