[OpenAFS] MIT Kerberos V authentication with OpenAFS

Karsten Künne kuenne@rentec.com
Wed, 6 Mar 2002 19:52:22 -0500 

On Wednesday 06 March 2002 17:27, Charles Clancy wrote:
| > I have gotten with the shipped solaris 8 pam_krb5 module to log into
| > the console with the appropriate ticket and such. But ssh does not
| > want to do it. Anyone doing this? If so might I pick your brain on a
| > few things?
|
| Around version 2.9, OpenSSH stopped working with stock Solaris krb5 PAM.
| I don't know why, and I haven't been motivated enough figure out why.
| Someone on focus-sun@securityfocus.com reported similar behaviour a while
| back, which verified it "wasn't just me".  If you go back to OpenSSH
| 2.5.1, you shouldn't have a problem.  I'm not sure if that version is
| secure, however.  If you are familiar enough with PAM, it's not too hard
| to trace the PAM client code in OpenSSH to find the point failure -- like
| I said, I just haven't been motivated to do so.
|
| The stock Solaris krb5 PAM has had some interesting problems.  At one
| point, it would only authenticate people with 8 character or fewer
| passwords.  A patch cluster about a year ago seemed to fix that problem.
|
| I have yet to see the module work at all on 32-bit Solaris 8 machines.  I
| had some Ultra 2's that prefer to not run the 64-bit version of Solaris,
| because there's some exploit in the processor itself when running the
| 64-bit version of Solaris.  The command line utilities, kinit, et al,
| worked fine -- it was just krb5 PAM.

The stock Solaris krb5 PAM doesn't like to be called with pam_setcred and 
PAM_REINITIALIZE_CRED set. As a workaround I took out that line in the ssh 
sources. Following is a small patch for openssh-2.9p2:

--- ./session.c.orig    Thu Nov 15 21:18:21 2001
+++ ./session.c Wed Mar  6 19:42:25 2002
@@ -1125,7 +1125,7 @@
                         * wiped by the above initgroups() call.
                         * Reestablish them here.
                         */
-                       do_pam_setcred(0);
+/*                     do_pam_setcred(0); */
 #  endif /* USE_PAM */
 #  ifdef WITH_IRIX_JOBS
                        jid = jlimit_startjob(pw->pw_name, pw->pw_uid, 
"interactive");



-- 
Karsten.

"Things should be made as simple as possible, but not any simpler."
  -Albert Einstein