openssh unix dev - May 2005 - Problems with PAM environments in ssh

I?ve stumbled across a rather obscure problem with ssh.  My machine is
setup to use Kerberos authentication, i.e., I use the pam_krb5 module in
the ssh auth section of the PAM configuration file and I have sshd
compiled to accept valid Kerberos 5 tickets as well.  I also use OpenAFS,
so I?ve got the pam_openafs_session module in the ssh session section of
the PAM configuration file.

Everything works as expected when I log in as a user that has not yet
obtained any Kerberos credentials.  The pam_krb5 module successfully
authenticates a user by prompting for a user name and password and obtains
tickets.  Then the pam_openafs_session module runs aklog and obtains AFS
tokens.

When connecting to the machine as a user who has already obtained valid
Kerberos credentials, authentication occurs as expected (I?m not prompted
for a password) but pam_openafs_session fails to obtain AFS tokens.  I?m
using ssh protocol 2, so token passing is not possible (as far as I can
tell).  pam_openafs_session fails because the KRB5CCNAME variable is not
set in the PAM environment at the time the module is used.

In the successful case of authenticating with pam_krb5 via a password, the
pam_krb5 module successfully exports the KRB5CCNAME variable into the PAM
environment during the auth phase.  When authenticating with existing
Kerberos credentials, the pam_sm_authenticate function in the auth module
of pam_krb5 is never called by ssh, so it never has a chance to set
KRB5CCNAME.

sshd eventually exports the KRB5CCNAME variable into the PAM environment,
but it doesn?t happen until the ssh_gssapi_krb5_storecred function, which
occurs after the call to do_pam_session is made during the
privsep_postauth process.

Here an outline of the code in the main function of sshd.c that outlines
the problem:

authenticated:
    /*
     * In privilege separation, we fork another child and prepare
     * file descriptor passing.
     */
    if (use_privsep) {
/***** eventually calls do_pam_session *******/
        privsep_postauth(authctxt);
        /* the monitor process [priv] will not return */
        if (!compat20)
            destroy_sensitive_data();
    }

    /* Start session. */
/******** eventually sets KRB5CCNAME in the PAM env ********/
    do_authenticated(authctxt);

    /* The connection has been terminated. */
    verbose("Closing connection to %.100s", remote_ip);

I?m not really sure what the proper solution to this problem is.  Should
the account module of pam_krb5 set this environment variable?  Should sshd
do it before calling the session code in pam_openafs_session??

Any suggestions are greatly appreciated.

Thanks,
Craig

Craig Gallek wrote:
> When connecting to the machine as a user who has already obtained valid
> Kerberos credentials, authentication occurs as expected (I?m not prompted
> for a password) but pam_openafs_session fails to obtain AFS tokens.  I?m
> using ssh protocol 2, so token passing is not possible (as far as I can
> tell).  pam_openafs_session fails because the KRB5CCNAME variable is not
> set in the PAM environment at the time the module is used.
What version is this?  One of the changes for 4.0p1 was:

- (dtucker) [session.c] Bug #918: store credentials from gssapi-with-mic
  authentication early enough to be available to PAM session modules when
  privsep=yes.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

On Fri, 2005-05-13 at 08:26 +1000, Darren Tucker wrote:
> What version is this?  One of the changes for 4.0p1 was:
> 
> - (dtucker) [session.c] Bug #918: store credentials from gssapi-with-mic
>   authentication early enough to be available to PAM session modules when
>   privsep=yes.
This change fixed my problem.

Thanks again,
Craig