John Houck <[EMAIL PROTECTED]> writes: > By default, for ssh logins that are authenticated by prompting > for a kerberos password, pam_krb5.so will put user credentials > in /tmp/krb5cc_0, overwriting any existing file by that name, > no matter which user owns the file.
What version of OpenSSH are you using? Given that symptom, you almost certainly have a broken version. There is a serious bug in older versions of OpenSSH's PAM support that tell the PAM module to refresh credentials rather than initialize them, which is consistent with this particular bug report. This isn't something that the PAM module can fix; it's a bug in OpenSSH that has to be fixed there (and is documented as such in the pam-krb5 documentation as of version 3.0, which is unfortunately one release after what's currently in Debian stable). Old versions of OpenSSH are known to call pam_authenticate followed by pam_setcred(PAM_REINITIALIZE_CRED) without first calling pam_open_session, thereby requesting that an existing ticket cache be renewed (similar to what a screensaver would want) rather than requesting a new ticket cache be created. Since this behavior is indistinguishable at the PAM level from a screensaver, pam-krb5 when used with these old versions of OpenSSH will refresh the ticket cache of the OpenSSH daemon rather than setting up a new ticket cache for the user. The resulting ticket cache will have the correct permissions (this is not a security concern), but will not be named correctly or referenced in the user's environment and will be overwritten by the next user login. The best solution to this problem is to upgrade OpenSSH. I'm not sure exactly when this problem was fixed, but at the very least OpenSSH 4.3 and later do not exhibit it. The version of OpenSSH that shipped with Debian stable works properly, but if you have a mixed oldstable system, you may see this problem. > The ccache option is supposed to allow customizing the name of the > credentials file. Regarding that option, the man page says: > > This option can be set in krb5.conf and is only > applicable to the auth and session groups. > > This is incorrect -- ccache cannot be set in krb5.conf I'm not sure what to say other than "yes, it can." Support is there in the code and I just tested it and it worked fine. That code hasn't changed since 2.3. Of course, if you have the above problem, you won't see the benefits of setting it when logging in via ssh; you'd need to use a non-broken program such as login. > An email associated with bug 341926 mentions updating the NEWS > file to make people aware of this, but I saw no such entry in > the NEWS file or any mention of it in the README files. Yeah, the NEWS.Debian file isn't being installed; it looks like that was broken at some point in a refactoring of the package. At this point, though, that change is so far in the past (2005) that I don't believe it should be. I'll delete it entirely in the next release; it would only be shown to people upgrading from versions before 1.2.0-2 anyway. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
