[While configuring dropbear-2016.74 for use with pam_krb5] I found
a deficiency, the lack of pam_setcred(), and suggest a fix as follows:

sed -i.orig '
/\/\* successful authentication \*\//i\
        if ((rc = pam_setcred(pamHandlep, 0)) != PAM_SUCCESS) {\
                dropbear_log(LOG_WARNING, "pam_setcred() failed, rc=%d, %s",\
                                rc, pam_strerror(pamHandlep, rc));\
                send_msg_userauth_failure(0, 1);\
                goto cleanup;\

' svr-authpam.c

It is not complete to be able to use the Kerberos tickets after login,
the KRB5CCNAME variable needs to be passed from pam to the user environment.

Thus, conditionally passing KRB5CCNAME would be a useful feature.

NFSv4/Kerberos finds the user tickets on its own, because of this
the above change _is_ sufficient for accessing NFSv4 home directories.

It also improves the conformance to the pam API.


Reply via email to