41304 – openssh 3.7.1_p2 support for pam_krb5(afs)

Bug 41304 - openssh 3.7.1_p2 support for pam_krb5(afs)

Summary: openssh 3.7.1_p2 support for pam_krb5(afs)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Server (show other bugs)
Hardware:	All All

Importance:	High normal (vote)
Assignee:	Daniel Ahlberg (RETIRED)

URL:
Whiteboard:
Keywords:

Duplicates (1):	63147 (view as bug list)
Depends on:
Blocks:

Reported:	2004-02-11 15:58 UTC by Andrej Filipcic
Modified:	2005-05-29 15:13 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrej Filipcic 2004-02-11 15:58:24 UTC

openssh-3.7.1_p2-r2 does not work with pam_krb5(afs). There are no tickets/afs tokens, although the system lets you in.

I have found the workaround in SuSE 9.0.

1) Patch for KRB5CCNAME:
--- gss-serv-krb5.c
+++ gss-serv-krb5.c
@@ -178,7 +178,9 @@

        client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));
        client->store.envvar = "KRB5CCNAME";
-       client->store.envval = xstrdup(client->store.filename);
+       int envval_len = strlen(client->store.filename) + 6;
+       if (client->store.envval = xmalloc (envval_len))
+           snprintf(client->store.envval,envval_len,"FILE:%s",client->store.fil
ename);

 #ifdef USE_PAM
        if (options.use_pam)


2) sshd has to be linked with pthread library in order not to loose krb5 environment vars. I have replaced the configure line in the ebuild with
        LDFLAGS="-lpthread" CFLAGS="-DUSE_POSIX_THREADS ${CFLAGS}"  \
        CXXFLAGS="-DUSE_POSIX_THREADS ${CXXFLAGS}" \
        ./configure \

sshd works as expected.
Could that be included in the official ebuild? May be with "use kerberos" ...

Best regards,
Andrej

Comment 1 Daniel Ahlberg (RETIRED) gentoo-dev

2004-03-18 02:40:31 UTC

Is this still a problem in 3.8?

Comment 2 Matthew Turk (RETIRED) gentoo-dev

2004-04-03 16:06:09 UTC

Yes, it seems to be, even with "KerberosGetAFSToken yes" in /etc/ssh/sshd_config.

Comment 3 G. A. 2004-05-29 21:36:43 UTC

The current openssh ebuild (openssh-3.8_p1) still does not work with pam_krb5(afs). Although users can be authenticated, their tokens are not saved. This is due to the way pam modules are called from inside OpenSSH; other programs (like login, xdm, etc) don't have that problem. A workaround patch has been proposed; get it at http://itp.tugraz.at/Comp/Resources/OpenSSH/openssh-setcred.patch

Comment 4 SpanKY gentoo-dev

2005-03-14 19:02:03 UTC

does the aforementioned patch resolve this ?

Comment 5 SpanKY gentoo-dev

2005-03-14 19:02:08 UTC

*** Bug 63147 has been marked as a duplicate of this bug. ***

Comment 6 Andrej Filipcic 2005-03-15 08:08:57 UTC

In SuSE 9.x builds I have found a solution. If ssh is compiled with pthreads,
it works OK. No additional patches are needed. Maybe that can be a default or an use flag (like pthreads) could be implemented in the ebuild.
(tested with openssh 3.8x 3.9x 4.0) 


So I have simply replaced the line
        econf \
with
        LDFLAGS="-lpthread" CFLAGS="-DUSE_POSIX_THREADS ${CFLAGS}"  \
        CXXFLAGS="-DUSE_POSIX_THREADS ${CXXFLAGS}" \
        econf \

Comment 7 M Grundman 2005-04-30 07:06:50 UTC

openssh-3.9_p1-r2 seems not to work with pam_krb5afs.

pam_sm_setcred() returns 18 (No module specific data is present)

Comment 8 Andrej Filipcic 2005-05-29 11:46:59 UTC

OK, The problem seems to be resolved with openssh 4.1, and it might also work
with previous openssh versions (not checked).

sshd_config should have:
PasswordAuthentication yes
ChallengeResponseAuthentication no

(http://bugzilla.mindrot.org/show_bug.cgi?id=688)

Comment 9 SpanKY gentoo-dev

2005-05-29 15:13:47 UTC

ok, sounds good then ... thanks for checking this again