On Fri, Oct 21, 2005 at 05:10:39PM +0200, Harti Brandt wrote:
> On Fri, 21 Oct 2005, Stijn Hoop wrote:
> SH>On Fri, Oct 21, 2005 at 04:08:14PM +0200, Harti Brandt wrote:
> SH>> I have enabled the pam_krb5 module in pam.d/{login,telnetd,sshd}. When
> SH>> login in locally I get a Kerberos ticket as I would expect. When logging
> SH>> in via ssh or telnet I don't get one. I have digged around in the
> sources
> SH>> and it locks like telnetd never calls pam_setcred() which would do this
> SH>> work. My PAM-foo is rather limited so my question is: shouldn't sshd and
> SH>> telnetd call pam_setcred() somewhere?
> SH>
> SH>WRT sshd I bugged des@ about this but did not receive an answer :( See
> SH>the attached mail.
>
> Hmm. I digged around a little bit and found something:
>
> http://bugzilla.mindrot.org/show_bug.cgi?id=789
>
> From a first glance it seems that this bug was introduced by fixing
> another bug.
I see. If I understand correctly, disabling privsep will fix it?
Still, I would really like to get an answer to my PAM question:
"Is it allowed for an application to only call pam_setcred with the
PAM_REINITIALIZE_FLAG, while never having called it with PAM_ESTABLISH_CRED?"
Did you find out yet?
--Stijn
--
"An adult is a child who has more ethics and morals, that's all."
-- Shigeru Miyamoto
pgpkayQNm7aCg.pgp
Description: PGP signature
