Bug 5263

Summary: PAM configuration is inherently broken
Product: [Retired] Red Hat Linux Reporter: chardin
Component: pamAssignee: David Lawrence <dkl>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 6.0CC: allbery
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 1999-09-22 01:44:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description chardin 1999-09-21 01:33:20 UTC 
it appears that PAM is suffering from some fundamental
architecture problems with regards to authentication
beyound the normal UID/GID credentials. namely, some
institutions rely on services such as kerberos whose
authentication methods are not easily performed using the
PAM interface.

this is truly a shame because you are now requiring people
to roll their own methods for authentication instead of
being able to use a PAM module.
Comment 1 Michael K. Johnson 1999-09-22 00:52:59 UTC 
And your suggested alternative is?
Comment 2 Michael K. Johnson 1999-09-22 01:44:59 UTC 
xdm's architecture unfortunately does not lend itself to proper
pamification.  For Red Hat Linux 6.1, I'm happy to report that it
looks like we'll be using gdm 2.0, which is the first *dm to do
proper PAM authentication, to the best of my knowledge.  If there
are bugs in that support, we certainly want to know about it.

I'm going to mark this as "fixed in the next release"; if gdm 2
as I expect ships in 6.1 does not work for you with that module,
please re-open this bug report with details.

If you have reports of other programs not working with the
kerberos PAM modules you are using, please open seperate bug
reports against each of those programs so that we will not
miss some of them.

Please note that some programs are constrained by protocol
(such as IMAP) and so cannot be made to take full advantage
of PAM's flexibility.  Sorry, but our hands are tied in those
cases.
Comment 3 allbery 1999-09-23 21:44:59 UTC 
I'm the person who maintains the (modified Red Hat) Linux distribution
for CMU ECE.

Kerberos is actually the least of the problems with PAM --- and xdm is
not the only program which has problems.

Kerberos-related PAM issues easily worked around by adding a chown()
in the appropriate PAM module after acquiring tickets and storing them
in the ticket cache.  The real problem is that the Kerberos tickets
are then used to acquire AFS tokens (modified Kerberos service
tickets), which are stuffed into a kernel-side cache called a PAG so
the AFS client filesystem code can authenticate to the AFS servers.
The difficulty is that when many programs invoke the PAM session
stack, they are running in the server's context; while for Kerberos
this means that files created by the PAM module have the wrong owner,
for AFS it means that multiple connections will share the same PAG and
therefore the same AFS permissions.

I should note that this is also not limited to Red Hat's products:
xscreensaver does some things wrong when AFS PAM modules are involved,
and Sun's CDE has to be patched to work with AFS PAM modules.  It
seems to be a general problem with knowing when to invoke PAM module
stacks.

This issue caused several departments at CMU to avoid Red Hat 6.0.