Bug 5263
Summary: | PAM configuration is inherently broken | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | chardin |
Component: | pam | Assignee: | David Lawrence <dkl> |
Status: | CLOSED NEXTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6.0 | CC: | allbery |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 1999-09-22 01:44:15 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
chardin
1999-09-21 01:33:20 UTC
And your suggested alternative is? xdm's architecture unfortunately does not lend itself to proper pamification. For Red Hat Linux 6.1, I'm happy to report that it looks like we'll be using gdm 2.0, which is the first *dm to do proper PAM authentication, to the best of my knowledge. If there are bugs in that support, we certainly want to know about it. I'm going to mark this as "fixed in the next release"; if gdm 2 as I expect ships in 6.1 does not work for you with that module, please re-open this bug report with details. If you have reports of other programs not working with the kerberos PAM modules you are using, please open seperate bug reports against each of those programs so that we will not miss some of them. Please note that some programs are constrained by protocol (such as IMAP) and so cannot be made to take full advantage of PAM's flexibility. Sorry, but our hands are tied in those cases. I'm the person who maintains the (modified Red Hat) Linux distribution for CMU ECE. Kerberos is actually the least of the problems with PAM --- and xdm is not the only program which has problems. Kerberos-related PAM issues easily worked around by adding a chown() in the appropriate PAM module after acquiring tickets and storing them in the ticket cache. The real problem is that the Kerberos tickets are then used to acquire AFS tokens (modified Kerberos service tickets), which are stuffed into a kernel-side cache called a PAG so the AFS client filesystem code can authenticate to the AFS servers. The difficulty is that when many programs invoke the PAM session stack, they are running in the server's context; while for Kerberos this means that files created by the PAM module have the wrong owner, for AFS it means that multiple connections will share the same PAG and therefore the same AFS permissions. I should note that this is also not limited to Red Hat's products: xscreensaver does some things wrong when AFS PAM modules are involved, and Sun's CDE has to be patched to work with AFS PAM modules. It seems to be a general problem with knowing when to invoke PAM module stacks. This issue caused several departments at CMU to avoid Red Hat 6.0. |