Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 134307

Summary: sys-auth/pam_krb5-2.2.6 keywording and DEPEND
Product: Gentoo Linux Reporter: Bryan Jacobs <BryanRJ>
Component: New packagesAssignee: PAM Gentoo Team (OBSOLETE) <pam-bugs+disabled>
Status: RESOLVED WONTFIX    
Severity: normal CC: btrzcins, glua, jgonzalez.openinput, kerberos, kyron
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 47138    
Attachments: pam_krb5-3.5.ebuild

Description Bryan Jacobs 2006-05-25 03:59:19 UTC
I have been using sys-auth/pam_krb5-2.2.6 with a Heimdal 0.7 series KDC on x86 and amd64 for two months now with no problems.

Please change the DEPEND to virtual/krb5 and keyword the package into ~arch instead of -*.  This is the only pam_krb5 I've found that can correctly handle fetching openafs tokens (when used with a heimdal KDC), obviating pam-openafs-session for all cases except SSH with GSSAPI key-exchange but no OpenAFS ticket passing.
Comment 1 Jakub Moc (RETIRED) gentoo-dev 2006-05-25 04:06:17 UTC
This is already fixed in 20030601 and 20030601-r1.
Comment 2 Bryan Jacobs 2006-05-25 08:35:06 UTC
This is not a valid solution.

pam_krb5-2003* and pam_krb5-2.2.6 are two entirely different packages - look at the SRC_URI in the ebuild and the DESCRIPTION.

2.2.6 comes from Fedora, whereas 2003* is from the SF.net pam_krb5 project.

They share the same name, but 2.2.6 works properly with OpenAFS and OpenSSH where 2003* does not.  The pam-2003* series also does strange things like depending on kth-krb if the "afs" USE flag is set.  Please keyword this package.
Comment 3 Eric Thibodeau 2006-09-19 19:58:44 UTC
I second that motion. I am using 2.2.6 on a production server and I am going through hell unmasking / keywording it correctly due to misversionning.
Comment 4 major 2006-10-30 18:26:56 UTC
(In reply to comment #2)

> They share the same name, but 2.2.6 works properly with OpenAFS and OpenSSH
> where 2003* does not.  The pam-2003* series also does strange things like
> depending on kth-krb if the "afs" USE flag is set.  Please keyword this
> package.

Yah, 2003* does indeed put a dependancy on kth-krb, but unfortunately claims that pam_krb5-2.2.6 work with everything out of the box are slightly exagerated. 
 
2.2.6 attempts to validate allowed logins by reading the .k5login.  This is cute and all, but it apparently attempts to do this before aquiring the AFS PAG even though the authentication succeeds.  Unless all logins make $HOME system:anyuser readable, then pam_krb5-2.2.6 fails the login due to recieving a permission denied error when attempting to open ${HOME}/.k5login.  Making ${HOME} paths system:anyuser globally readable in order to make pam_krb5-2.2.6 function is quite frankly "not a valid solution".  Particuarly since AFS directory acl's are inherited from the parent directory.  Every new directory created under ${HOME} would be created with system:anyuser read permission.

The claim that pam_krb5-2003* does not work with OpenSSH is also exagerated.  It works correctly so long as OpenSSH is capable of handing off the credential data correctly.  This gets into a bit of a religious war that has been going on between OpenSSH and pam for quite a while.  OpenSSH can't pass the credentials unless compiled with pthread support, but they have gone out of their way to make enabling pthread support difficult because people want to enable it thinking it improves performance, and for some reason OpenSSH isn't content to let people live with their own opinions and decisions.

pam_krb5-2003* does not have this problem.  Unfortunately, kth-krb is a dead project and not all of the pieces are in place to remove it from the systems yet.  Such as this pam issue.  The only problem with pam_krb5-2003* that I know of is the dependancy on the kth-krb package.  The OpenAFS and OpenSSH claims are both ficticious, and misleading.

Lastly, as noted, pam_krb5-2.2.6 does not work with OpenAFS unless one changes local security policies in order to allow it to read ${HOME}/.k5login on AFS, and there is no way to disable this check w/out disabling local account validation completely.
Comment 5 major 2006-10-30 19:01:30 UTC
(In reply to comment #4)
> 2.2.6 attempts to validate allowed logins by reading the .k5login.  This is
> cute and all, but it apparently attempts to do this before aquiring the AFS PAG
> even though the authentication succeeds.  Unless all logins make $HOME
> system:anyuser readable, then pam_krb5-2.2.6 fails the login due to recieving a
> permission denied error when attempting to open ${HOME}/.k5login.  Making
> ${HOME} paths system:anyuser globally readable in order to make pam_krb5-2.2.6
> function is quite frankly "not a valid solution".  Particuarly since AFS
> directory acl's are inherited from the parent directory.  Every new directory
> created under ${HOME} would be created with system:anyuser read permission.

I retract this statement.  It seems that the pam_krb5-2.2.6 requires the "token" argument in more sections then pam_krb5-2003* did.  I now have pam_krb5-2.2.6 requesting tokens in the auth, password, and session events, as well as needing use_shmem=sshd in the auth and session events to get around openssh's inability to hand off credientials between these stages of authentication.
Comment 6 Barnett Trzcinski 2007-01-04 21:42:15 UTC
I have just been going through intense torture with the other two pam_krb5's and AFS with Heimdal, and after reading this bug I unmasked 2.2.6 and tried it, and it's been working perfectly in a production environment. This absolutely should go in ~arch.
Comment 7 Volkmar Glauche 2007-01-10 09:39:47 UTC
(In reply to comment #5)
> (In reply to comment #4)
> > 2.2.6 attempts to validate allowed logins by reading the .k5login.  This is

I have seen this behaviour, too, but it seems to be due to stale krb5cc_* files left after an unclean logout (e.g. user logged out by system reboot).
Otherwise, this module is working just fine on amd64. Please unmask this package.
Comment 8 Jakub Moc (RETIRED) gentoo-dev 2007-05-08 18:02:55 UTC
*** Bug 146449 has been marked as a duplicate of this bug. ***
Comment 9 Arno Hahma 2007-05-08 18:08:52 UTC
It still does not work:

as75|21:06|1|>ssh shetach.chem.jyu.fi
Password: 
Last login: Wed May  9 00:04:58 2007 from as75.adsl.tnnet.fi
arno@shetach ~ $ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_45132)

arno@shetach ~ $ kinit
Password for arno@CC.JYU.FI: 
arno@shetach ~ $ klist
Ticket cache: FILE:/tmp/krb5cc_45132
Default principal: arno@CC.JYU.FI

Valid starting     Expires            Service principal
05/08/07 21:07:02  05/09/07 07:07:02  krbtgt/CC.JYU.FI@CC.JYU.FI
        renew until 05/08/07 21:07:02
arno@shetach ~ $ 
Comment 10 Bryan Jacobs 2007-05-08 18:15:25 UTC
(In reply to comment #9)
> It still does not work:

There are many things that can prevent the OpenSSH/krb5 combo from working.  What I currently use is pam_krb5-3.5 from eyrie.org (attached).  Its only problem is that it provides no AFS support; when coupled with pam-afs-session, this isn't an issue.
Comment 11 Bryan Jacobs 2007-05-08 18:16:08 UTC
Created attachment 118608 [details]
pam_krb5-3.5.ebuild
Comment 12 Jakub Moc (RETIRED) gentoo-dev 2008-02-26 10:50:13 UTC
Use 3.9; closing this.