patch: a deficiency in pam support
Joakim Tjernlund
Joakim.Tjernlund at infinera.com
Mon Sep 19 18:46:21 AWST 2016
On Sun, 2016-09-18 at 20:56 +0200, u-pwhy at aetey.se wrote:
> Hello,
>
> [While configuring dropbear-2016.74 for use with pam_krb5] I found
> a deficiency, the lack of pam_setcred(), and suggest a fix as follows:
This reminds me, I have several fix to pam / expired passwd handling.
I just (dry) ported them to:
https://github.com/joakim-tjernlund/dropbear/commits/expired_passwd
Hopefully these can be added to dropbear.
You might want to build kerberos upon that
Jocke
>
> sed -i.orig '
> /\/\* successful authentication \*\//i\
> if ((rc = pam_setcred(pamHandlep, 0)) != PAM_SUCCESS) {\
> dropbear_log(LOG_WARNING, "pam_setcred() failed, rc=%d, %s",\
> rc, pam_strerror(pamHandlep, rc));\
> send_msg_userauth_failure(0, 1);\
> goto cleanup;\
> }\
>
> ' svr-authpam.c
>
> It is not complete to be able to use the Kerberos tickets after login,
> the KRB5CCNAME variable needs to be passed from pam to the user environment.
>
> Thus, conditionally passing KRB5CCNAME would be a useful feature.
>
> NFSv4/Kerberos finds the user tickets on its own, because of this
> the above change _is_ sufficient for accessing NFSv4 home directories.
>
> It also improves the conformance to the pam API.
>
> Regards,
> Rune
>
More information about the Dropbear
mailing list