Bug#381849: libpam-krb5: Creates multiple ccache files, none correct

Turbo Fredriksson Mon, 07 Aug 2006 04:53:26 -0700

Package: libpam-krb5
Version: 1.2.0-3.TF.1

When using libpam-krb5 in 'auth' and 'session' (togehter with
pam_openafs_session.so), the libpam-krb5 WILL authenticate me,
but not create a correct ccache...


----- s n i p -----
[EMAIL PROTECTED] cat /etc/pam.d/ssh
auth            required                pam_nologin.so
auth            required                pam_env.so
auth            sufficient              pam_krb5.so forwardable debug
auth            required                pam_unix.so try_first_pass shadow
auth            required                pam_issue.so issue=/etc/issue.net

account         sufficient              pam_krb5.so forwardable debug
account         required                pam_unix.so try_first_pass shadow

password        required                pam_krb5.so debug

session         optional                pam_krb5.so debug
session         optional                pam_openafs_session.so ignore_root debug
session         required                pam_unix.so
session         optional                pam_lastlog.so
session         optional                pam_motd.so
----- s n i p -----

----- s n i p -----
[EMAIL PROTECTED] tail -f /var/log/auth.log -n0
Aug  7 13:19:42 pumba sshd[26408]: (pam_krb5): none: pam_sm_authenticate: entry
Aug  7 13:19:49 pumba sshd[26408]: (pam_krb5): turbo: pam_sm_authenticate: exit 
(success)
Aug  7 13:19:49 pumba sshd[26408]: (pam_krb5): none: pam_sm_acct_mgmt: entry
Aug  7 13:19:49 pumba sshd[26408]: (pam_krb5): turbo: pam_sm_acct_mgmt: exit 
(success)
Aug  7 13:19:49 pumba sshd[26408]: Accepted password for turbo from <IP> port 
36807 ssh2
Aug  7 13:19:52 pumba sshd[26428]: (pam_krb5): none: pam_sm_setcred: entry (0x8)
Aug  7 13:19:52 pumba sshd[26428]: (pam_krb5): turbo: pam_sm_setcred: 
attempting to refresh cred cache FILE:/tmp/krb5cc_p19351
Aug  7 13:19:52 pumba sshd[26428]: (pam_krb5): turbo: pam_sm_setcred: 
initializing cred cache FILE:/tmp/krb5cc_p19351
Aug  7 13:19:52 pumba sshd[26428]: (pam_krb5): turbo: chown(): No such file or 
directory
Aug  7 13:19:52 pumba sshd[26428]: (pam_krb5): turbo: pam_sm_setcred: exit 
(failure)
Aug  7 13:19:52 pumba sshd[26428]: (pam_krb5): none: pam_sm_setcred: entry (0x2)
Aug  7 13:19:52 pumba sshd[26428]: pam_krb5: verify_krb_v5_tgt(): 
krb5_kt_read_service_key(): Permission denied
Aug  7 13:19:52 pumba sshd[26428]: (pam_krb5): turbo: pam_sm_setcred: 
initializing cred cache /tmp/krb5cc_1000_lCHJom
Aug  7 13:19:52 pumba sshd[26428]: (pam_krb5): turbo: krb5_cc_start_seq_get(): 
Credentials cache permissions incorrect
Aug  7 13:19:52 pumba sshd[26428]: (pam_krb5): turbo: pam_sm_setcred: exit 
(failure)
Aug  7 13:19:52 pumba sshd[26428]: pam_openafs-krb5: open_session: Could not 
find Kerberos tickets; not running aklog
Aug  7 13:19:52 pumba PAM_unix[26428]: (ssh) session opened for user turbo by 
(uid=1000)
Aug  7 13:19:52 pumba sshd[26428]: (pam_krb5): none: pam_sm_setcred: entry (0x2)
Aug  7 13:19:52 pumba sshd[26428]: pam_krb5: verify_krb_v5_tgt(): 
krb5_kt_read_service_key(): Permission denied
Aug  7 13:19:52 pumba sshd[26428]: (pam_krb5): turbo: pam_sm_setcred: 
initializing cred cache /tmp/krb5cc_1000_zPJ264
Aug  7 13:19:52 pumba sshd[26428]: (pam_krb5): turbo: krb5_cc_start_seq_get(): 
Credentials cache permissions incorrect
Aug  7 13:19:52 pumba sshd[26428]: (pam_krb5): turbo: pam_sm_setcred: exit 
(failure)
----- s n i p -----

----- s n i p -----
[EMAIL PROTECTED] ll /tmp/krb5cc_*
-rw-------    1 turbo    turbo           0 Aug  7 13:19 /tmp/krb5cc_1000_lCHJom
-rw-------    1 turbo    turbo           0 Aug  7 13:19 /tmp/krb5cc_1000_zPJ264
-rw-------    1 root     root          899 Aug  7 13:19 /tmp/krb5cc_pam_lqS0mM
----- s n i p -----

The last file is now my ccache, but (1) it's owned by root.root and it's not
used and (2) the once that pam_krb says it's using, is not initialized and (3)
it (pam_krb5) say that it's creating/initializing THREE different ccache files,
but it actually only creates (but not initializes) TWO...

Using the 'ccache' option for pam_krb5 won't help.

Loging in with ssh '3.4p1-1.woody.3':
----- s n i p -----
Could not chdir to home directory /afs/bayour.com/user/fredriksson/turbo/: 
Permission denied
bash: /afs/bayour.com/user/fredriksson/turbo//.bash_profile: Permission denied
[EMAIL PROTECTED]:/$ env
PWD=/
[EMAIL PROTECTED]:\w\$
USER=turbo
MAIL=/var/mail/turbo
SSH_CLIENT=82.182.174.117 36807 22
PAM_KRB5CCNAME=/tmp/krb5cc_pam_lqS0mM
LOGNAME=turbo
SHLVL=1
SHELL=/bin/bash
HOME=/afs/bayour.com/user/fredriksson/turbo/
TERM=xterm
PATH=/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games
SSH_TTY=/dev/pts/8
_=/usr/bin/env
----- s n i p -----

The PAM_KRB5CCNAME is new and also causes 'klist' to fail to see my ticket...


PS1. The '.TF.1' in the version is because i use (my own) semi-woody which is
    basically woody, with all LDAPv3 stuff etc from sid...

PS2. Libpam-krb5 v '1.0-10.TF.1' works correctly...
-- 
domestic disruption Ortega spy Noriega Ft. Meade ammonium Cocaine
critical strategic FSF Semtex NSA jihad Treasury Panama
[See http://www.aclu.org/echelonwatch/index.html for more about this]
[Or http://www.europarl.eu.int/tempcom/echelon/pdf/rapport_echelon_en.pdf]
If neither of these works, try http://www.aclu.org and search for echelon.
Note. This is a real, not fiction.
http://www.theregister.co.uk/2001/09/06/eu_releases_echelon_spying_report/
http://www.aclu.org/safefree/nsaspying/23989res20060131.html#echelon


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#381849: libpam-krb5: Creates multiple ccache files, none correct

Reply via email to