I am try to setup single sign-on and found this is imposuble due to bug in OpenSSH: currently sshd do pam_authenticate() and pam_acct_mgmt() from child process, but pam_setcred() from paren proccess. pam_krb5 in pam_sm_setcred() required information from pam_sm_authenticate and can't work corretly (can't create /tmp/krb5cc_NNNN, can't set envirompent KRB5CCNAME and so). In logs/debugs this is as openpam_dispatch(): pam_krb5.so: pam_sm_setcred(): failed to retrieve user credentials
On Thu, Aug 29, 2013 at 04:48:44AM +0400, Slawa Olhovchenkov wrote:> I am try to setup single sign-on and found this is imposuble due to > bug in OpenSSH: currently sshd do pam_authenticate() and > pam_acct_mgmt() from child process, but pam_setcred() from paren > proccess. pam_krb5 in pam_sm_setcred() required information from > pam_sm_authenticate and can't work corretly (can't create > /tmp/krb5cc_NNNN, can't set envirompent KRB5CCNAME and so). > > In logs/debugs this is as > > openpam_dispatch(): pam_krb5.so: pam_sm_setcred(): failed to retrieve user credentialsAs I see, similar bug open in upstream from 2003: https://bugzilla.mindrot.org/show_bug.cgi?id=688
Slawa Olhovchenkov <slw at zxy.spb.ru> writes:> I am try to setup single sign-on and found this is imposuble due to > bug in OpenSSH: currently sshd do pam_authenticate() and > pam_acct_mgmt() from child process, but pam_setcred() from paren > proccess. pam_krb5 in pam_sm_setcred() required information from > pam_sm_authenticate and can't work corretly (can't create > /tmp/krb5cc_NNNN, can't set envirompent KRB5CCNAME and so).PAM authentication in OpenSSH was broken for non-trivial cases when privilege separation was implemented. Fixing it properly would be very difficult. DES -- Dag-Erling Sm?rgrav - des at des.no