bugzilla-daemon at mindrot.org
2003-May-20 14:49 UTC
[Bug 445] User DCE Credentials do not get forwarded to child session
http://bugzilla.mindrot.org/show_bug.cgi?id=445 ------- Additional Comments From simon at sxw.org.uk 2003-05-21 00:49 ------- The existing code only handles the situation where Kerberos credentials are created by the OpenSSH's krb5 code. What would appear to be happening under OSF/1 is that one of the calls used to verify the users login is, as a by-product, creating the credentials cache. When the child is forked, this environment information is being lost. We already handle the case for Cygwin where we have to propagate the parents environment to the child - this is just a special case of that. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-May-20 15:11 UTC
[Bug 445] User DCE Credentials do not get forwarded to child session
http://bugzilla.mindrot.org/show_bug.cgi?id=445 ------- Additional Comments From kmy at ornl.gov 2003-05-21 01:11 ------- I am no longer running OSF1; although, I may have to do so in the future. The last comment on propagating parent's environment to the child is mostly correct. The call to sia_ses_init creates a KRB5 ticket which contains authorization/authentication for the parent. This ticket information needs to be propagated to the child. Actually, this is the proper way to handle OSF1 SIA; since, the operating system SIA layer is run-time configurable by design and you do not really want to pass the user's password to KRB5 a second time. This is to say that the file, /etc/sia/matrix.conf tells the OS about whether or not DCE is a valid authentication/authorization method. In the event that DCE is being used, the parent's authorizations do need to be propagated to the child. However, we also must deal with the case wherein DCE is no longer a valid mechanism. In this case, the parent will not have an authorization to propagate. -- Ken Matney, Sr. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-May-20 15:14 UTC
[Bug 445] User DCE Credentials do not get forwarded to child session
http://bugzilla.mindrot.org/show_bug.cgi?id=445 ------- Additional Comments From kmy at ornl.gov 2003-05-21 01:14 ------- Oops! That should have been sia_ses_authent instead of sia_ses_init. And sia_ses_release does not destroy the credential (also by design). -- Ken Matney, Sr. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
Seemingly Similar Threads
- [Bug 445] User DCE Credentials do not get forwarded to child session
- Patch for Digital Unix SIA authentication
- uid transition and post-auth privsep (WAS Re: possible fundamental problem with tru64 patch) (fwd)
- OSF_SIA bug in 2.3.0p1
- [Bug 445] New: User DCE Credentials do not get forwarded to child session