Your message dated Wed, 13 Apr 2005 14:53:42 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#270544: libpam-krb5: add "work across NAT router" feature
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 7 Sep 2004 20:46:46 +0000
>From [EMAIL PROTECTED] Tue Sep 07 13:46:46 2004
Return-path: <[EMAIL PROTECTED]>
Received: from mx.uni-klu.ac.at [143.205.180.45]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1C4mrV-0001AS-00; Tue, 07 Sep 2004 13:46:46 -0700
Received: from localhost (localhost [127.0.0.1])
by mx.uni-klu.ac.at (Postfix) with ESMTP id 6BD9A3BA88;
Tue, 7 Sep 2004 22:46:18 +0200 (CEST)
Received: from mx.uni-klu.ac.at ([127.0.0.1])
by localhost (mx [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
id 02979-09; Tue, 7 Sep 2004 22:46:16 +0200 (CEST)
Received: from wpsi.home.algepop.dyndns.org
(chello080109231226.4.uni-klu.teleweb.at [80.109.231.226])
by mx.uni-klu.ac.at (Postfix) with ESMTP id A8ACF3BA86;
Tue, 7 Sep 2004 22:46:16 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Albrecht Gebhardt <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: libpam-krb5: add "work across NAT router" feature
X-Mailer: reportbug 2.37-1.uk
Date: Tue, 07 Sep 2004 22:46:12 +0200
Message-Id: <[EMAIL PROTECTED]>
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at uni-klu.ac.at
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Package: libpam-krb5
Version: 1.0-8.uk.1
Severity: wishlist
Tags: patch
It is not possible to log in with pam-krb5 from behind a NAT router (in
my case: from WLAN across my WRT54G WLAN access point). This is not a
bug, kinit(1) shows the same behaviuor.
kinit(1) provides a --no-addresses command line option, which helps
overcome this restriction.
I added a small patch which resembles kinit's --no-addresses option as a
"no_addresses" option for the pam configuration files /etc/pam.d/*. So I
can use statements like
auth sufficient pam_krb5.so use_first_pass ... no_addresses
etc.
Of course this could be forwared to the upstream authors, if proved to
be useful. It could also be implemented for the libpam-heimdal package
(there is a slightly different way to specify an empty ip adressess list).
The patch contains currently no man page addition, sorry.
My Debian system is a mix of woody and backported packages, as you can
see below, but I believe this should apply to a clean debian system in
the same way.
By
Albrecht Gebhardt
http://www.math.uni-klu.ac.at/~agebhard
the patch (was against libpam-krb5 1.0-8)
--- pam_krb5_auth.c.ag-noaddr Mon Jul 26 20:38:47 2004
+++ pam_krb5_auth.c Mon Jul 26 20:51:36 2004
@@ -55,6 +56,7 @@
int debug = 0, try_first_pass = 0, use_first_pass = 0;
int forwardable = 0, reuse_ccache = 0, no_ccache = 0;
+ int no_addresses = 0;
for (i = 0; i < argc; i++) {
if (strcmp(argv[i], "debug") == 0)
@@ -69,6 +71,8 @@
reuse_ccache = 1;
else if (strcmp(argv[i], "no_ccache") == 0)
no_ccache = 1;
+ else if (strcmp(argv[i], "no_addresses") == 0)
+ no_addresses = 1;
}
/* Get username */
@@ -91,6 +95,10 @@
memset(&creds, 0, sizeof(krb5_creds));
memset(cache_name, 0, sizeof(cache_name));
memset(lname, 0, sizeof(lname));
+
+ if (no_addresses) {
+ krb5_get_init_creds_opt_set_address_list (&opts, NULL);
+ }
if (forwardable)
krb5_get_init_creds_opt_set_forwardable(&opts, 1);
-- System Information:
Debian Release: 3.0-bunk-1
Architecture: i386
Kernel: Linux wpsi.home.algepop.dyndns.org 2.4.27-uk-lt-p3 #1 Tue Aug 10
23:04:21 CEST 2004 i686
Locale: LANG=C, LC_CTYPE=C
Versions of packages libpam-krb5 depends on:
ii libc6 2.2.5-11.5 GNU C Library: Shared libraries an
ii libcomerr2 1.35-2.uk The Common Error Description libra
ii libkrb53 1.2.7-3.uk MIT Kerberos runtime libraries
ii libpam0g 0.76-13.uk Pluggable Authentication Modules l
-- no debconf information
---------------------------------------
Received: (at 270544-done) by bugs.debian.org; 13 Apr 2005 21:53:46 +0000
>From [EMAIL PROTECTED] Wed Apr 13 14:53:46 2005
Return-path: <[EMAIL PROTECTED]>
Received: from smtp2.stanford.edu [171.67.16.125]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DLpnt-0001rk-00; Wed, 13 Apr 2005 14:53:45 -0700
Received: from windlord.stanford.edu (windlord.Stanford.EDU [171.64.19.147])
by smtp2.Stanford.EDU (8.12.11/8.12.11) with SMTP id j3DLrgqW018767
for <[EMAIL PROTECTED]>; Wed, 13 Apr 2005 14:53:43 -0700
Received: (qmail 16989 invoked by uid 1000); 13 Apr 2005 21:53:42 -0000
To: [EMAIL PROTECTED]
Subject: Re: Bug#270544: libpam-krb5: add "work across NAT router" feature
From: Russ Allbery <[EMAIL PROTECTED]>
Organization: The Eyrie
Date: Wed, 13 Apr 2005 14:53:42 -0700
Message-ID: <[EMAIL PROTECTED]>
User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4 (Jumbo Shrimp, linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
As mentioned previously, adding:
noaddresses = true
to [libdefaults] in krb5.conf is the right solution to this problem.
Closing the bug.
--
Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]