On Sun, 2016-09-18 at 20:56 +0200, u-p...@aetey.se wrote: > Hello, > > [While configuring dropbear-2016.74 for use with pam_krb5] I found > a deficiency, the lack of pam_setcred(), and suggest a fix as follows:
This reminds me, I have several fix to pam / expired passwd handling. I just (dry) ported them to: https://github.com/joakim-tjernlund/dropbear/commits/expired_passwd Hopefully these can be added to dropbear. You might want to build kerberos upon that Jocke > > sed -i.orig ' > /\/\* successful authentication \*\//i\ > if ((rc = pam_setcred(pamHandlep, 0)) != PAM_SUCCESS) {\ > dropbear_log(LOG_WARNING, "pam_setcred() failed, rc=%d, %s",\ > rc, pam_strerror(pamHandlep, rc));\ > send_msg_userauth_failure(0, 1);\ > goto cleanup;\ > }\ > > ' svr-authpam.c > > It is not complete to be able to use the Kerberos tickets after login, > the KRB5CCNAME variable needs to be passed from pam to the user environment. > > Thus, conditionally passing KRB5CCNAME would be a useful feature. > > NFSv4/Kerberos finds the user tickets on its own, because of this > the above change _is_ sufficient for accessing NFSv4 home directories. > > It also improves the conformance to the pam API. > > Regards, > Rune >