Package: slim Version: 1.3.0-2 Severity: normal Hi,
I have my system set up so that it will authenticate to a Kerberos realm using PAM. This used to work with gdm; however, because gdm sucks, I recently switched to slim. Unfortunately, this does not seem to work 100%. A bit of background in case you are not familiar with the way the Kerberos PAM module works: when authenticating to a Kerberos KDC, you get a 'ticket granting ticket', which needs to be stored in a local credentials cache so that the user can later on use it to authenticate to other services. The default filename of this credentials cache is '/tmp/krb5cc_<uid>', e.g., '/tmp/krb5cc_1000' if your uid is 1000. However, it is possible to change the name of this ticket cache by specifying its name in the environment variable 'KRB5CCNAME'. In order to avoid an attack through a race condition, the PAM module will set this variable to a filename based on the default, but with '_' appended, followed by six random characters; e.g., something like '/tmp/krb5cc_1000_iBlsqd'. However, it will _only_ do this if the authentication was successful; if the user did not successfully log on through the Kerberos PAM module, then the session component of the PAM module will not set the environment variable. The expectation is thus that either there is no ticket cache, in which case calling 'klist' with no arguments (which will show the contents of the credentials cache) will say there is an empty credentials cache called '/tmp/krb5cc_<uid>'; or it will show at least a ticket-granting ticket in a credentials cache called '/tmp/krb5cc_<uid>_<random>'. This was the case in gdm, and is still the case when logging on through /bin/login. However, it is not true with slim; when logging on through slim, the environment variable is set, but the credentials cache is empty or does not exist. I'm not 100% sure why this is the case, but it should not happen -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: powerpc (ppc) Kernel: Linux 2.6.29-2-powerpc Locale: LANG=nl_BE.UTF-8, LC_CTYPE=nl_BE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages slim depends on: ii debconf [debconf-2.0] 1.5.26 Debian configuration management sy ii libc6 2.9-12 GNU C Library: Shared libraries ii libgcc1 1:4.4.0-4 GCC support library ii libjpeg62 6b-14 The Independent JPEG Group's JPEG ii libpam0g 1.0.1-9 Pluggable Authentication Modules l ii libpng12-0 1.2.35-1 PNG library - runtime ii libstdc++6 4.4.0-4 The GNU Standard C++ Library v3 ii libx11-6 2:1.2.1-1 X11 client-side library ii libxft2 2.1.13-3 FreeType-based font drawing librar ii libxmu6 2:1.0.4-1 X11 miscellaneous utility library Versions of packages slim recommends: ii eterm [x-terminal-emulator] 0.9.5-2 Enlightened Terminal Emulator ii konsole [x-terminal-emulator] 4:4.2.2-1 X terminal emulator for KDE 4 ii rxvt-unicode [x-terminal-emul 9.06-1 RXVT-like terminal emulator with U ii xterm [x-terminal-emulator] 242-1 X terminal emulator Versions of packages slim suggests: pn scrot <none> (no description available) -- debconf information: * shared/default-x-display-manager: slim -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
