Giter Club home page Giter Club logo

pam-krb5's Introduction

pam-krb5

Build status Debian package

Copyright 2005-2010, 2014-2015, 2017, 2020-2021 Russ Allbery [email protected]. Copyright 2009-2011 The Board of Trustees of the Leland Stanford Junior University. Copyright 2005 Andres Salomon [email protected]. Copyright 1999-2000 Frank Cusack [email protected]. This software is distributed under a BSD-style license. Please see the section License below for more information.

Blurb

pam-krb5 is a Kerberos PAM module for either MIT Kerberos or Heimdal. It supports ticket refreshing by screen savers, configurable authorization handling, authentication of non-local accounts for network services, password changing, and password expiration, as well as all the standard expected PAM features. It works correctly with OpenSSH, even with ChallengeResponseAuthentication and PrivilegeSeparation enabled, and supports extensive configuration either by PAM options or in krb5.conf or both. PKINIT is supported with recent versions of both MIT Kerberos and Heimdal and FAST is supported with recent MIT Kerberos.

Description

pam-krb5 provides a Kerberos PAM module that supports authentication, user ticket cache handling, simple authorization (via .k5login or checking Kerberos principals against local usernames), and password changing. It can be configured through either options in the PAM configuration itself or through entries in the system krb5.conf file, and it tries to work around PAM implementation flaws in commonly-used PAM-enabled applications such as OpenSSH and xdm. It supports both PKINIT and FAST to the extent that the underlying Kerberos libraries support these features.

This is not the Kerberos PAM module maintained on Sourceforge and used on Red Hat systems. It is an independent implementation that, if it ever shared any common code, diverged long ago. It supports some features that the Sourceforge module does not (particularly around authorization), and does not support some options (particularly ones not directly related to Kerberos) that it does. This module will never support Kerberos v4 or AFS. For an AFS session module that works with this module (or any other Kerberos PAM module), see pam-afs-session.

If there are other options besides AFS and Kerberos v4 support from the Sourceforge PAM module that you're missing in this module, please let me know.

Requirements

Either MIT Kerberos (or Kerberos implementations based on it) or Heimdal are supported. MIT Keberos 1.3 or later may be required; this module has not been tested with earlier versions.

For PKINIT support, Heimdal 0.8rc1 or later or MIT Kerberos 1.6.3 or later are required. Earlier MIT Kerberos 1.6 releases have a bug in their handling of PKINIT options. MIT Kerberos 1.12 or later is required to use the use_pkinit PAM option.

For FAST (Flexible Authentication Secure Tunneling) support, MIT Kerberos 1.7 or higher is required. For anonymous FAST support, anonymous authentication (generally anonymous PKINIT) support is required in both the Kerberos libraries and in the local KDC.

This module should work on Linux and build with gcc or clang. It may still work on Solaris and build with the Sun C compiler, but I have only tested it on Linux recently. There is beta-quality support for the AIX NAS Kerberos implementation that has not been tested in years. Other PAM implementations will probably require some porting, although untested build system support is present for FreeBSD, Mac OS X, and HP-UX. I personally can only test on Linux and rely on others to report problems on other operating systems.

Old versions of OpenSSH are known to call pam_authenticate followed by pam_setcred(PAM_REINITIALIZE_CRED) without first calling pam_open_session, thereby requesting that an existing ticket cache be renewed (similar to what a screensaver would want) rather than requesting a new ticket cache be created. Since this behavior is indistinguishable at the PAM level from a screensaver, pam-krb5 when used with these old versions of OpenSSH will refresh the ticket cache of the OpenSSH daemon rather than setting up a new ticket cache for the user. The resulting ticket cache will have the correct permissions (this is not a security concern), but will not be named correctly or referenced in the user's environment and will be overwritten by the next user login. The best solution to this problem is to upgrade OpenSSH. I'm not sure exactly when this problem was fixed, but at the very least OpenSSH 4.3 and later do not exhibit it.

To bootstrap from a Git checkout, or if you change the Automake files and need to regenerate Makefile.in, you will need Automake 1.11 or later. For bootstrap or if you change configure.ac or any of the m4 files it includes and need to regenerate configure or config.h.in, you will need Autoconf 2.64 or later. Perl is also required to generate manual pages from a fresh Git checkout.

Building and Installation

You can build and install pam-krb5 with the standard commands:

    ./configure
    make
    make install

If you are building from a Git clone, first run ./bootstrap in the source directory to generate the build files. make install will probably have to be done as root. Building outside of the source directory is also supported, if you wish, by creating an empty directory and then running configure with the correct relative path.

The module will be installed in /usr/local/lib/security by default, but expect to have to override this using --libdir. The correct installation path for PAM modules varies considerably between systems. The module will always be installed in a subdirectory named security under the specified value of --libdir. On Red Hat Linux, for example, --libdir=/usr/lib64 is appropriate to install the module into the system PAM directory. On Debian's amd64 architecture, --libdir=/usr/lib/x86_64-linux-gnu would be correct.

Normally, configure will use krb5-config to determine the flags to use to compile with your Kerberos libraries. To specify a particular krb5-config script to use, either set the PATH_KRB5_CONFIG environment variable or pass it to configure like:

    ./configure PATH_KRB5_CONFIG=/path/to/krb5-config

If krb5-config isn't found, configure will look for the standard Kerberos libraries in locations already searched by your compiler. If the the krb5-config script first in your path is not the one corresponding to the Kerberos libraries you want to use, or if your Kerberos libraries and includes aren't in a location searched by default by your compiler, you need to specify a different Kerberos installation root via --with-krb5=PATH. For example:

    ./configure --with-krb5=/usr/pubsw

You can also individually set the paths to the include directory and the library directory with --with-krb5-include and --with-krb5-lib. You may need to do this if Autoconf can't figure out whether to use lib, lib32, or lib64 on your platform.

To not use krb5-config and force library probing even if there is a krb5-config script on your path, set PATH_KRB5_CONFIG to a nonexistent path:

    ./configure PATH_KRB5_CONFIG=/nonexistent

krb5-config is not used and library probing is always done if either --with-krb5-include or --with-krb5-lib are given.

Pass --enable-silent-rules to configure for a quieter build (similar to the Linux kernel). Use make warnings instead of make to build with full GCC compiler warnings (requires either GCC or Clang and may require a relatively current version of the compiler).

You can pass the --enable-reduced-depends flag to configure to try to minimize the shared library dependencies encoded in the binaries. This omits from the link line all the libraries included solely because other libraries depend on them and instead links the programs only against libraries whose APIs are called directly. This will only work with shared libraries and will only work on platforms where shared libraries properly encode their own dependencies (this includes most modern platforms such as all Linux). It is intended primarily for building packages for Linux distributions to avoid encoding unnecessary shared library dependencies that make shared library migrations more difficult. If none of the above made any sense to you, don't bother with this flag.

Testing

pam-krb5 comes with a comprehensive test suite, but it requires some configuration in order to test anything other than low-level utility functions. For the full test suite, you will need to have a running KDC in which you can create two test accounts, one with admin access to the other. Using a test KDC environment, if you have one, is recommended.

Follow the instructions in tests/config/README to configure the test suite.

Now, you can run the test suite with:

    make check

If a test fails, you can run a single test with verbose output via:

    tests/runtests -o <name-of-test>

Do this instead of running the test program directly since it will ensure that necessary environment variables are set up.

The default libkadm5clnt library on the system must match the implementation of your KDC for the module/expired test to work, since the two kadmin protocols are not compatible. If you use the MIT library against a Heimdal server, the test will be skipped; if you use the Heimdal library against an MIT server, the test suite may hang.

Several module/expired tests are expected to fail with Heimdal 1.5 due to a bug in Heimdal with reauthenticating immediately after a library-mediated password change of an expired password. This is fixed in later releases of Heimdal.

To run the full test suite, Perl 5.10 or later is required. The following additional Perl modules will be used if present:

  • Test::Pod
  • Test::Spelling

All are available on CPAN. Those tests will be skipped if the modules are not available.

To enable tests that don't detect functionality problems but are used to sanity-check the release, set the environment variable RELEASE_TESTING to a true value. To enable tests that may be sensitive to the local environment or that produce a lot of false positives without uncovering many problems, set the environment variable AUTHOR_TESTING to a true value.

Configuring

Just installing the module does not enable it or change anything about your system authentication configuration. To use the module for all system authentication on Debian systems, put something like:

    auth  sufficient   pam_krb5.so minimum_uid=1000
    auth  required     pam_unix.so try_first_pass nullok_secure

in /etc/pam.d/common-auth, something like:

    session  optional  pam_krb5.so minimum_uid=1000
    session  required  pam_unix.so

in /etc/pam.d/common-session, and something like:

    account  required  pam_krb5.so minimum_uid=1000
    account  required  pam_unix.so

in /etc/pam.d/common-account. The minimum_uid setting tells the PAM module to pass on any users with a UID lower than 1000, thereby bypassing Kerberos authentication for the root account and any system accounts. You normally want to do this since otherwise, if the network is down, the Kerberos authentication can time out and make it difficult to log in as root and fix matters. This also avoids problems with Kerberos principals that happen to match system accounts accidentally getting access to those accounts.

Be sure to include the module in the session group as well as the auth group. Without the session entry, the user's ticket cache will not be created properly for ssh logins (among possibly others).

If your users should normally all use Kerberos passwords exclusively, putting something like:

    password sufficient pam_krb5.so minimum_uid=1000
    password required   pam_unix.so try_first_pass obscure md5

in /etc/pam.d/common-password will change users' passwords in Kerberos by default and then only fall back on Unix if that doesn't work. (You can make this tighter by using the more complex new-style PAM configuration.) If you instead want to synchronize local and Kerberos passwords and change them both at the same time, you can do something like:

    password required   pam_unix.so obscure sha512
    password required   pam_krb5.so use_authtok minimum_uid=1000

If you have multiple environments that you want to synchronize and you don't want password changes to continue if the Kerberos password change fails, use the clear_on_fail option. For example:

    password required   pam_krb5.so clear_on_fail minimum_uid=1000
    password required   pam_unix.so use_authtok obscure sha512
    password required   pam_smbpass.so use_authtok

In this case, if pam_krb5 cannot change the password (due to password strength rules on the KDC, for example), it will clear the stored password (because of the clear_on_fail option), and since pam_unix and pam_smbpass are both configured with use_authtok, they will both fail. clear_on_fail is not the default because it would interfere with the more common pattern of falling back to local passwords if the user doesn't exist in Kerberos.

If you use a more complex configuration with the Linux PAM [] syntax for the session and account groups, note that pam_krb5 returns a status of ignore, not success, if the user didn't log on with Kerberos. You may need to handle that explicitly with ignore=ignore in your action list.

There are many, many other possibilities. See the Linux PAM documentation for all the configuration options.

On Red Hat systems, modify /etc/pam.d/system-auth instead, which contains all of the configuration for the different stacks.

You can also use pam-krb5 only for specific services. In that case, modify the files in /etc/pam.d for that particular service to use pam_krb5.so for authentication. For services that are using passwords over TLS to authenticate users, you may want to use the ignore_k5login and no_ccache options to the authenticate module. .k5login authorization is only meaningful for local accounts and ticket caches are usually (although not always) only useful for interactive sessions.

Configuring the module for Solaris is both simpler and less flexible, since Solaris (at least Solaris 8 and 9, which are the last versions of Solaris with which this module was extensively tested) use a single /etc/pam.conf file that contains configuration for all programs. For console login on Solaris, try something like:

    login auth sufficient /usr/local/lib/security/pam_krb5.so minimum_uid=100
    login auth required /usr/lib/security/pam_unix_auth.so.1 use_first_pass
    login account required /usr/local/lib/security/pam_krb5.so minimum_uid=100
    login account required /usr/lib/security/pam_unix_account.so.1
    login session required /usr/local/lib/security/pam_krb5.so retain_after_close minimum_uid=100
    login session required /usr/lib/security/pam_unix_session.so.1

A similar configuration could be used for other services, such as ssh. See the pam.conf(5) man page for more information. When using this module with Solaris login (at least on Solaris 8 and 9), you will probably also need to add retain_after_close to the PAM configuration to avoid having the user's credentials deleted before they are logged in.

The Solaris Kerberos library reportedly does not support prompting for a password change of an expired account during authentication. Supporting password change for expired accounts on Solaris with native Kerberos may therefore require setting the defer_pwchange or force_pwchange option for selected login applications. See the description and warnings about that option in the pam_krb5(5) man page.

Some configuration options may be put in the krb5.conf file used by your Kerberos libraries (usually /etc/krb5.conf or /usr/local/etc/krb5.conf) instead or in addition to the PAM configuration. See the man page for more details.

The Kerberos library, via pam-krb5, will prompt the user to change their password if their password is expired, but when using OpenSSH, this will only work when ChallengeResponseAuthentication is enabled. Unless this option is enabled, OpenSSH doesn't pass PAM messages to the user and can only respond to a simple password prompt.

If you are using MIT Kerberos, be aware that users whose passwords are expired will not be prompted to change their password unless the KDC configuration for your realm in [realms] in krb5.conf contains a master_kdc setting or, if using DNS SRV records, you have a DNS entry for _kerberos-master as well as _kerberos.

Debugging

The first step when debugging any problems with this module is to add debug to the PAM options for the module (either in the PAM configuration or in krb5.conf). This will significantly increase the logging from the module and should provide a trace of exactly what failed and any available error information.

Many Kerberos authentication problems are due to configuration issues in krb5.conf. If pam-krb5 doesn't work, first check that kinit works on the same system. That will test your basic Kerberos configuration. If the system has a keytab file installed that's readable by the process doing authentication via PAM, make sure that the keytab is current and contains a key for host/<system> where is the fully-qualified hostname. pam-krb5 prevents KDC spoofing by checking the user's credentials when possible, but this means that if a keytab is present it must be correct or authentication will fail. You can check the keytab with klist -k and kinit -k.

Be sure that all libraries and modules, including PAM modules, loaded by a program use the same Kerberos libraries. Sometimes programs that use PAM, such as current versions of OpenSSH, also link against Kerberos directly. If your sshd is linked against one set of Kerberos libraries and pam-krb5 is linked against a different set of Kerberos libraries, this will often cause problems (such as segmentation faults, bus errors, assertions, or other strange behavior). Similar issues apply to the com_err library or any other library used by both modules and shared libraries and by the application that loads them. If your OS ships Kerberos libraries, it's usually best if possible to build all Kerberos software on the system against those libraries.

Implementation Notes

The normal sequence of actions taken for a user login is:

    pam_authenticate
    pam_setcred(PAM_ESTABLISH_CRED)
    pam_open_session
    pam_acct_mgmt

and then at logout:

    pam_close_session

followed by closing the open PAM session. The corresponding pam_sm_* functions in this module are called when an application calls those public interface functions. Not all applications call all of those functions, or in particularly that order, although pam_authenticate is always first and has to be.

When pam_authenticate is called, pam-krb5 creates a temporary ticket cache in /tmp and sets the PAM environment variable PAM_KRB5CCNAME to point to it. This ticket cache will be automatically destroyed when the PAM session is closed and is there only to pass the initial credentials to the call to pam_setcred. The module would use a memory cache, but memory caches will only work if the application preserves the PAM environment between the calls to pam_authenticate and pam_setcred. Most do, but OpenSSH notoriously does not and calls pam_authenticate in a subprocess, so this method is used to pass the tickets to the pam_setcred call in a different process.

pam_authenticate does a complete authentication, including checking the resulting TGT by obtaining a service ticket for the local host if possible, but this requires read access to the system keytab. If the keytab doesn't exist, can't be read, or doesn't include the appropriate credentials, the default is to accept the authentication. This can be controlled by setting verify_ap_req_nofail to true in [libdefaults] in /etc/krb5.conf. pam_authenticate also does a basic authorization check, by default calling krb5_kuserok (which uses ~/.k5login if available and falls back to checking that the principal corresponds to the account name). This can be customized with several options documented in the pam_krb5(5) man page.

pam-krb5 treats pam_open_session and pam_setcred(PAM_ESTABLISH_CRED) as synonymous, as some applications call one and some call the other. Both copy the initial credentials from the temporary cache into a permanent cache for this session and set KRB5CCNAME in the environment. It will remember when the credential cache has been established and then avoid doing any duplicate work afterwards, since some applications call pam_setcred or pam_open_session multiple times (most notably X.Org 7 and earlier xdm, which also throws away the module settings the last time it calls them).

pam_acct_mgmt finds the ticket cache, reads it in to obtain the authenticated principal, and then does is another authorization check against .k5login or the local account name as described above.

After the call to pam_setcred or pam_open_session, the ticket cache will be destroyed whenever the calling application either destroys the PAM environment or calls pam_close_session, which it should do on user logout.

The normal sequence of events when refreshing a ticket cache (such as inside a screensaver) is:

    pam_authenticate
    pam_setcred(PAM_REINITIALIZE_CRED)
    pam_acct_mgmt

(PAM_REFRESH_CRED may be used instead.) Authentication proceeds as above. At the pam_setcred stage, rather than creating a new ticket cache, the module instead finds the current ticket cache (from the KRB5CCNAME environment variable or the default ticket cache location from the Kerberos library) and then reinitializes it with the credentials from the temporary pam_authenticate ticket cache. When refreshing a ticket cache, the application should not open a session. Calling pam_acct_mgmt is optional; pam-krb5 doesn't do anything different when it's called in this case.

If pam_authenticate apparently didn't succeed, or if an account was configured to be ignored via ignore_root or minimum_uid, pam_setcred (and therefore pam_open_session) and pam_acct_mgmt return PAM_IGNORE, which tells the PAM library to proceed as if that module wasn't listed in the PAM configuration at all. pam_authenticate, however, returns failure in the ignored user case by default, since otherwise a configuration using ignore_root with pam-krb5 as the only PAM module would allow anyone to log in as root without a password. There doesn't appear to be a case where returning PAM_IGNORE instead would improve the module's behavior, but if you know of a case, please let me know.

By default, pam_authenticate intentionally does not follow the PAM standard for handling expired accounts and instead returns failure from pam_authenticate unless the Kerberos libraries are able to change the account password during authentication. Too many applications either do not call pam_acct_mgmt or ignore its exit status. The fully correct PAM behavior (returning success from pam_authenticate and PAM_NEW_AUTHTOK_REQD from pam_acct_mgmt) can be enabled with the defer_pwchange option.

The defer_pwchange option is unfortunately somewhat tricky to implement. In this case, the calling sequence is:

    pam_authenticate
    pam_acct_mgmt
    pam_chauthtok
    pam_setcred
    pam_open_session

During the first pam_authenticate, we can't obtain credentials and therefore a ticket cache since the password is expired. But pam_authenticate isn't called again after pam_chauthtok, so pam_chauthtok has to create a ticket cache. We however don't want it to do this for the normal password change (passwd) case.

What we do is set a flag in our PAM data structure saying that we're processing an expired password, and pam_chauthtok, if it sees that flag, redoes the authentication with password prompting disabled after it finishes changing the password.

Unfortunately, when handling password changes this way, pam_chauthtok will always have to prompt the user for their current password again even though they just typed it. This is because the saved authentication tokens are cleared after pam_authenticate returns, for security reasons. We could hack around this by saving the password in our PAM data structure, but this would let the application gain access to it (exactly what the clearing is intended to prevent) and breaks a PAM library guarantee. We could also work around this by having pam_authenticate get the kadmin/changepw authenticator in the expired password case and store it for pam_chauthtok, but it doesn't seem worth the hassle.

History and Acknowledgements

Originally written by Frank Cusack [email protected], with the following acknowledgement:

Thanks to Naomaru Itoi [email protected], Curtis King [email protected], and Derrick Brashear [email protected], all of whom have written and made available Kerberos 4/5 modules. Although no code in this module is directly from these author's modules, (except the get_user_info() routine in support.c; derived from whichever of these authors originally wrote the first module the other 2 copied from), it was extremely helpful to look over their code which aided in my design.

The module was then patched for the FreeBSD ports collection with additional modifications by unknown maintainers and then was modified by Joel Kociolek [email protected] to be usable with Debian GNU/Linux.

It was packaged by Sam Hartman as the Kerberos v5 PAM module for Debian and improved and modified by him and later by Russ Allbery to fix bugs and add additional features. It was then adopted by Andres Salomon, who added support for refreshing credentials.

The current distribution is maintained by Russ Allbery, who also added support for reading configuration from krb5.conf, added many features for compatibility with the Sourceforge module, commented and standardized the formatting of the code, and overhauled the documentation.

Thanks to Douglas E. Engert for the initial implementation of PKINIT support. I have since modified and reworked it extensively, so any bugs or compilation problems are my fault.

Thanks to Markus Moeller for lots of debugging and multiple patches and suggestions for improved portability.

Thanks to Booker Bense for the implementation of the alt_auth_map option.

Thanks to Sam Hartman for the FAST support implementation.

Support

The pam-krb5 web page will always have the current version of this package, the current documentation, and pointers to any additional resources.

For bug tracking, use the issue tracker on GitHub. However, please be aware that I tend to be extremely busy and work projects often take priority. I'll save your report and get to it as soon as I can, but it may take me a couple of months.

Source Repository

pam-krb5 is maintained using Git. You can access the current source on GitHub or by cloning the repository at:

https://git.eyrie.org/git/kerberos/pam-krb5.git

or view the repository on the web.

The eyrie.org repository is the canonical one, maintained by the author, but using GitHub is probably more convenient for most purposes. Pull requests are gratefully reviewed and normally accepted.

License

The pam-krb5 package as a whole is covered by the following copyright statement and license:

Copyright 2005-2010, 2014-2015, 2017, 2020-2021 Russ Allbery [email protected]

Copyright 2009-2011 The Board of Trustees of the Leland Stanford Junior University

Copyright 2005 Andres Salomon [email protected]

Copyright 1999-2000 Frank Cusack [email protected]

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice, and the entire permission notice in its entirety, including the disclaimer of warranties.

  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

  3. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission.

ALTERNATIVELY, this product may be distributed under the terms of the GNU General Public License, in which case the provisions of the GPL are required INSTEAD OF the above restrictions. (This clause is necessary due to a potential bad interaction between the GPL and the restrictions contained in a BSD-style copyright.)

THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Some files in this distribution are individually released under different licenses, all of which are compatible with the above general package license but which may require preservation of additional notices. All required notices, and detailed information about the licensing of each file, are recorded in the LICENSE file.

Files covered by a license with an assigned SPDX License Identifier include SPDX-License-Identifier tags to enable automated processing of license information. See https://spdx.org/licenses/ for more information.

For any copyright range specified by files in this package as YYYY-ZZZZ, the range specifies every single year in that closed interval.

pam-krb5's People

Contributors

dependabot[bot] avatar elric1 avatar hartmans avatar henryjacques avatar irush-cs avatar jhutz avatar peterbrei avatar rra avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar

Forkers

henryjacques madscientist159 jkdingwall univention spaceone chriscrawfordal jhutz jkbremer michaelmuehle steffen-kiess huckabeec yuethub cschuber

pam-krb5's Issues

pam_setcred fails when KRB5CCNAME=KEYRING:user:name

Using credential caches of type KEYRING (MIT Kerberos) has several issues:

  • KEYRING:persistent:uidnumber should work as expected. I didn't test, because standard Debian kernels do not have persistent keyrings.
  • KEYRING:session:name does not always copy credentials. This issue is IMHO entirely due to some applications calling _pam_open_session and pam_setcred in reversed order and the limitations of pam_keyinit.so (cf. linux-pam/linux-pam#149)
  • KEYRING:user:name may attach the credentials to the wrong keyring if the PAM application is not currently running with the user's credentials.

The last issue concerns pam_krb5.so. I see several solutions, but I don't know if they are acceptable:

  1. A setreuid()/setgeuid() call before calling krb5_cc_resolve. The module pam_keyinit.so does it without wondering about multi-threading, but the comments in pamk5_setcred tell me this solution would be discarded.
  2. Do the same as above, but using syscalls instead of libc, since they do not synchronize between threads.
  3. Wait for the application to open the user session before copying the credentials.

If you point me in the right direction I might provide a patch.

crash due acces to invalid context->princ pointer after error in pamk5_account

Debugging into crash problem in my local cups server that has pam_krb5 in his pam configuration I found a problem in pam_krb5.
Due to an not yet know issue the krb5_cc_get_principal call in

pam-krb5/module/account.c

Line 83 in ad9e3fe

retval = krb5_cc_get_principal(ctx->context, ctx->cache, &ctx->princ);

is failing.
As the ctx->princ is freed just before this call but not reset to NULL, the member seem's to be left in an invalid state.
In the error handling _pam_free_data is called from pam_end and tries to release ctx->princ again cause a crash.
So I think the ctx->princ should be reset after the free in account.c above.

Regards
Michael

Set a timeout for kerberos login

Sometimes my laptop is not connected to a network when I log in or has some issue with routing where, although it does have a default route, it does not actually have a network connection. These are all issues that are easy to solve once I log in, however, I am frequently left at the lockscreen for upwards of 2 minutes waiting for a kerberos timeout. Can an option be added to time-out kerberos in a more reasonable period of time, like 15 seconds? I'd have to run kinit when I log in anyway when it times out but having to wait 2 minutes is just too long. It does seem to recognize (usually) that I am offline if, for instance, there are no active network interfaces, however, my VPN does not always remove its interface and routes upon server disconnect (which should not cause an issue with something as crucial as a login screen.)

prompt_principal not parsed as pam argument

Version: pam_krb5 4.7 (self built rpm)
OS: Scientific Linux 6

When I set prompt_principal = true in /etc/krb5.conf, I am prompted as expected.

However, when I omit prompt_principal from the config file and set it as a PAM argument I am not prompted. Is there a specific way this argument should be passed in?

content of /etc/pam.d/system-auth (imported by the actual login process)

auth        required      pam_env.so
auth        [success=3 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid
auth        [success=ok authinfo_unavail=2 ignore=2 default=die] pam_pkcs11.so card_only
auth        optional      pam_krb5.so debug=true    prompt_principal
auth        sufficient    pam_permit.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so
auth        required      pam_deny.so

7 module/basic tests fail on Alpine Linux

I tried to run the tests without a KDC as part of Alpine Linux's pam-krb5 packaging.

7 of the module/basic tests fail. I have posted the log bellow:

~/aports/testing/pam-krb5/src/pam-krb5-4.8/tests $ ./runtests -l TESTS 

Running all tests listed in TESTS.  If any tests fail, run the failing
test program with runtests -o to see more details.

docs/pod................skipped (POD syntax tests normally skipped)
docs/pod-spelling.......skipped (Spelling tests only run for author)
docs/urls...............skipped (Documentation URL tests only run for author)
module/alt-auth.........skipped (Kerberos tests not configured)
module/bad-authtok......skipped (Kerberos tests not configured)
module/basic............FAILED 9, 13-15, 31, 37-38
module/cache............skipped (Kerberos tests not configured)
module/cache-cleanup....skipped (Kerberos tests not configured)
module/expired..........skipped (Kerberos tests not configured)
module/fast.............skipped (Kerberos tests not configured)
module/no-cache.........skipped (Kerberos tests not configured)
module/pam-user.........skipped (Kerberos tests not configured)
module/password.........skipped (Kerberos tests not configured)
module/pkinit...........skipped (PKINIT tests not configured)
module/realm............skipped (Kerberos tests not configured)
module/stacked..........skipped (Kerberos tests not configured)
pam-util/args...........ok   
pam-util/fakepam........ok   
pam-util/logging........ok   
pam-util/options........ok     
pam-util/vector.........ok   
portable/asprintf.......ok   
portable/mkstemp........ok   
portable/snprintf.......ok       
portable/strndup........ok 

Failed Set                 Fail/Total (%) Skip Stat  Failing Tests
-------------------------- -------------- ---- ----  ------------------------
module/basic                  7/114    6%    0    0  9, 13-15, 31, 37-38

Failed 7/1464 tests, 99.52% okay, 15 tests skipped.


~/aports/testing/pam-krb5/src/pam-krb5-4.8/tests $ ./runtests -o module/basic-t
# Starting data/scripts/basic/no-context
ok 1 - status for acct_mgmt
ok 2 - status for setcred(DELETE_CRED)
ok 3 - status for setcred(ESTABLISH_CRED)
ok 4 - status for setcred(REFRESH_CRED)
ok 5 - status for setcred(REINITIALIZE_CRED)
ok 6 - status for open_session
ok 7 - status for close_session
ok 8 - no output
# Starting data/scripts/basic/force-first
# wanted: 7
#   seen: 3
not ok 9 - status for authenticate
ok 10 - status for acct_mgmt
ok 11 - status for open_session
ok 12 - status for close_session
# wanted: 5
#   seen: 3
not ok 13 - output priority 1
# wanted: authentication failure; logname=root uid=1000 euid=1000 tty= ruser= rhost=
#   seen: (user root) parse_name failed: Configuration file does not specify default realm
not ok 14 - output line 1
# unexpected: (5) authentication failure; logname=root uid=1000 euid=1000 tty= ruser= rhost=
not ok 15 - unexpected output lines
# Starting data/scripts/basic/ignore-root-debug
ok 16 - status for authenticate
ok 17 - status for chauthtok(PRELIM_CHECK)
ok 18 - output priority 1
ok 19 - output line 1
ok 20 - output priority 2
ok 21 - output line 2
ok 22 - output priority 3
ok 23 - output line 3
ok 24 - output priority 4
ok 25 - output line 4
ok 26 - output priority 5
ok 27 - output line 5
ok 28 - output priority 6
ok 29 - output line 6
ok 30 - no excess output
# Starting data/scripts/basic/force-first-debug
# wanted: 7
#   seen: 3
not ok 31 - status for authenticate
ok 32 - status for acct_mgmt
ok 33 - status for open_session
ok 34 - status for close_session
ok 35 - output priority 1
ok 36 - output line 1
# wanted: 7
#   seen: 3
not ok 37 - output priority 2
# wanted: (user root) no stored password
#   seen: (user root) parse_name failed: Configuration file does not specify default realm
not ok 38 - output line 2
ok 39 - output priority 3
ok 40 - output line 3
ok 41 - output priority 4
ok 42 - output line 4
ok 43 - output priority 5
ok 44 - output line 5
ok 45 - output priority 6
ok 46 - output line 6
ok 47 - output priority 7
ok 48 - output line 7
ok 49 - output priority 8
ok 50 - output line 8
ok 51 - output priority 9
ok 52 - output line 9
ok 53 - output priority 10
ok 54 - output line 10
ok 55 - output priority 11
ok 56 - output line 11
ok 57 - no excess output
# Starting data/scripts/basic/no-context-debug
ok 58 - status for acct_mgmt
ok 59 - status for setcred(DELETE_CRED)
ok 60 - status for setcred(ESTABLISH_CRED)
ok 61 - status for setcred(REFRESH_CRED)
ok 62 - status for setcred(REINITIALIZE_CRED)
ok 63 - status for open_session
ok 64 - status for close_session
ok 65 - output priority 1
ok 66 - output line 1
ok 67 - output priority 2
ok 68 - output line 2
ok 69 - output priority 3
ok 70 - output line 3
ok 71 - output priority 4
ok 72 - output line 4
ok 73 - output priority 5
ok 74 - output line 5
ok 75 - output priority 6
ok 76 - output line 6
ok 77 - output priority 7
ok 78 - output line 7
ok 79 - output priority 8
ok 80 - output line 8
ok 81 - output priority 9
ok 82 - output line 9
ok 83 - output priority 10
ok 84 - output line 10
ok 85 - output priority 11
ok 86 - output line 11
ok 87 - output priority 12
ok 88 - output line 12
ok 89 - output priority 13
ok 90 - output line 13
ok 91 - output priority 14
ok 92 - output line 14
ok 93 - output priority 15
ok 94 - output line 15
ok 95 - output priority 16
ok 96 - output line 16
ok 97 - output priority 17
ok 98 - output line 17
ok 99 - output priority 18
ok 100 - output line 18
ok 101 - output priority 19
ok 102 - output line 19
ok 103 - output priority 20
ok 104 - output line 20
ok 105 - output priority 21
ok 106 - output line 21
ok 107 - output priority 22
ok 108 - output line 22
ok 109 - output priority 23
ok 110 - output line 23
ok 111 - no excess output
# Starting data/scripts/basic/ignore-root
ok 112 - status for authenticate
ok 113 - status for chauthtok(PRELIM_CHECK)
ok 114 - no output

module not compliant with Linux-PAM documentation

The man pam_end and Linux-PAM app documentation says that:

...... This argument can be logically OR'd
       with PAM_DATA_SILENT to indicate that the module
       should not treat the call too seriously. It is generally used to
       indicate that the current closing of the library is in a
       fork(2)ed process, and that the parent will take care of cleaning
       up things that exist outside of the current process space (files
       etc.).

Based on bug reports and the issue discussed here+, I'd like to suggest the following patch (or something like it) be considered for inclusion in the pam-krb5 module:

diff --git a/module/context.c b/module/context.c
index 9664483..222b70b 100644
--- a/module/context.c
+++ b/module/context.c
@@ -160,10 +160,15 @@ pamk5_context_free(struct pam_args *args)
  */
 void
 pamk5_context_destroy(pam_handle_t *pamh UNUSED, void *data,
-                      int pam_end_status UNUSED)
+                      int pam_end_status)
 {
     struct context *ctx = (struct context *) data;
 
+#ifdef __LINUX_PAM__
+    if (pam_end_status == PAM_SUCCESS | PAM_DATA_SILENT)
+       return;
+#endif /* def __LINUX_PAM__ */
+
     if (ctx != NULL)
         context_free(ctx, true);
 }

debug pam_krb5

Hello,

I can't debug pam_krb5 on my Ubuntu 14.04 64bits.
This is what I get in /var/log/syslog when enabling "debug = true" in krb5.conf

Oct 16 18:17:01 host CRON[6465]: pam_krb5(cron:setcred): trace logging requested but not supported
Oct 16 18:17:01 host CRON[6465]: pam_krb5(cron:setcred): pam_sm_setcred: entry (establish|silent)
Oct 16 18:17:01 host CRON[6465]: pam_krb5(cron:setcred): no context found, creating one
Oct 16 18:17:01 host CRON[6465]: pam_krb5(cron:setcred): ignoring low-UID user (0 < 1000)
Oct 16 18:17:01 host CRON[6465]: pam_krb5(cron:setcred): pam_sm_setcred: exit (success)
Oct 16 18:17:01 host CRON[6466]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Oct 16 18:17:01 host CRON[6465]: pam_krb5(cron:setcred): trace logging requested but not supported
Oct 16 18:17:01 host CRON[6465]: pam_krb5(cron:setcred): pam_sm_setcred: entry (delete|silent)
Oct 16 18:17:01 host CRON[6465]: pam_krb5(cron:setcred): pam_sm_setcred: exit (success)

So I'm getting the "trace logging requested but not supported"
In options.c it happens if I don't have the HAVE_KRB5_SET_TRACE_FILENAME defined.
So what do I have to do?

What am I doing wrong?

Thanks in advance!

pam-krb5 password change

please,help me. i want change password in domain. but if i will change passwork,then new password i will write in a field,where i was entered old password. it is not true. if i will eneter new password,then i will want create new form,where i will enter new password and click to button "Change". can you will do it?

docs build failure: /bin/bash: line 1: docs/pam_krb5.5: No such file or directory

Hi,

I'm rebuilding libpam-krb5 from the Ubuntu package source and including a patch for the man page. The compile fails:

make[4]: Entering directory '/build/Rebuilds/libpam-krb5/work/libpam-krb5-4.11/build-mit'
make  all-am
make[5]: Entering directory '/build/Rebuilds/libpam-krb5/work/libpam-krb5-4.11/build-mit'
pod2man --release="4.11" --center=pam-krb5 -s 5 \
    ../docs/pam_krb5.pod > docs/pam_krb5.5
/bin/bash: line 1: docs/pam_krb5.5: No such file or directory
make[5]: *** [Makefile:2077: docs/pam_krb5.5] Error 1
make[5]: *** Waiting for unfinished jobs....
make[5]: Leaving directory '/build/Rebuilds/libpam-krb5/work/libpam-krb5-4.11/build-mit'
make[4]: *** [Makefile:855: all] Error 2
make[4]: Leaving directory '/build/Rebuilds/libpam-krb5/work/libpam-krb5-4.11/build-mit'
dh_auto_build: error: cd build-mit && make -j8 returned exit code 2
make[3]: *** [debian/rules:33: override_dh_auto_build] Error 2
make[3]: Leaving directory '/build/Rebuilds/libpam-krb5/work/libpam-krb5-4.11'
make[2]: *** [debian/rules:12: binary] Error 2
make[2]: Leaving directory '/build/Rebuilds/libpam-krb5/work/libpam-krb5-4.11'
dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2
make[1]: *** [../Makefile.rebuild:42: build-exec] Error 2
make[1]: Leaving directory '/build/ci/jdingwall/zynstra/Rebuilds/libpam-krb5'
make: *** [/build/ci/jdingwall/zynstra/Makefile.pkg:253: build-exec-do] Error 2
make: Leaving directory '/build/ci/jdingwall/zynstra/Rebuilds/libpam-krb5'

I'm not sure if this is a result of the debian packaging or that the Makefile.am is missing something which should create the docs directory. In build-mit/Makefile there are blocks such as:

pam-util/$(am__dirstamp):
        @$(MKDIR_P) pam-util
        @: > pam-util/$(am__dirstamp)

which create the other directories under build-mit but no similar rule for docs/$(am__dirstamp). If I create the docs directory during the build then the man page is rebuilt from the .pod and the file ends up being included as part of the .deb. If I add the mkdir line in to Makefile.am then the build works. I don't know automake so possibly there is a more correct way to achieve this.

 # The manual page is normally generated by the bootstrap script, but add a
 # Makefile rule to regenerate it if it is modified.
 docs/pam_krb5.5: $(srcdir)/docs/pam_krb5.pod
       $(MKDIR_P) docs
        pod2man --release="$(VERSION)" --center=pam-krb5 -s 5 \
            $(srcdir)/docs/pam_krb5.pod > $@

allow_kdc_spoof: Refuse to operate without a key to verify tickets.

Hello, FreeBSD/NetBSD has patched their pam_krb5 module to fix spoofing vulnerability. They didn't use krb5_verify_init_creds() method where by default allow the spoofing with the configuration "verify_ap_req_nofail" to false. This default option cannot be changed, as discussed on 2011 (see reference 4), because it could break deployments not using host keys.

So, may it be possible to change the way credentials are verify using an argument as it was done for freeBSD with "allow_kdc_spoof", where by default the spoofing vulnerability is fixed, in this pam-krb5 project ?

References:

  1. NetBSD commit
  2. FreeBSD commit
  3. CVS commit
  4. mail discussions

Use k5login_directory

If search_k5login is specified, pam_krb5 only looks up .k5login in the user's home directory.
Kerberos allows to specify a k5login_directory, so that the k5login file would be <k5login_directory>/
This allows to authenticate via kerberos and then mount an encrypted home directory.

Changing password is not possible

Hi :-)

heimdal now (>= version 7.1.0 / heimdal/heimdal#152 / heimdal/heimdal@7422cd1) supports the krb5_get_init_creds_opt_set_change_password_prompt API. Therefore the defer_pwchange option works!
This can be documented at:
6a46b47

Now it seems there is a problem in pam_krb5 during changing the password, which is not possible. I have the following configuration:

auth     sufficient pam_krb5.so use_first_pass defer_pwchange debug=true trace=/tmp/krb5
auth     required pam_deny.so
account  required pam_krb5.so force_pwchange debug=true trace=/tmp/krb5
password required pam_krb5.so use_first_pass use_authtok defer_pwchange debug=true trace=/tmp/krb5

When I do a chauthtok I receive the following error:

>>> pam.chauthtok()
login:test99
Current Kerberos password: 
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
PAM.error: ('Authentication token is no longer valid; new one required', 12)

The logs don't contain anything useful. I can't switch on debug=true or get trace=... working. Maybe you have got an idea:

Apr 28 10:55:40 xen3 python: pam_krb5(service:chauthtok): trace logging requested but not supported
Apr 28 10:55:40 xen3 python: pam_krb5(service:chauthtok): pam_sm_chauthtok: entry (prelim)
Apr 28 10:55:43 xen3 python: pam_krb5(service:chauthtok): (user test99) attempting authentication as [email protected] for kadmin/changepw
Apr 28 10:55:43 xen3 python: pam_krb5(service:chauthtok): (user test99) krb5_get_init_creds_password: Password has expired
Apr 28 10:55:43 xen3 python: pam_krb5(service:chauthtok): pam_sm_chauthtok: exit (failure)

`module/long` tests always fail if `default_realm` is unset.

Test Platform: fedora-mock

The default build environment for mock on Fedora (and other rpm distros) is to have default_realm in /etc/krb5.conf unset.

I think if the unit tests provided some sort of "UNIT-TEST.EXAMPLE.COM" realm to the user argument, they would work...

[mockbuild@69883bfbc1ac4b1cab35913c388e0181 tests]$ ./runtests -o module/long-t
# Starting data/scripts/long/password
#  left: 7
# right: 3
not ok 1 - status for authenticate
#  left: 5
# right: 3
not ok 2 - output priority 1
#  left: authentication failure; logname=test uid=1000 euid=1000 tty= ruser= rhost=
# right: (user test) parse_name failed: Configuration file does not specify default realm
not ok 3 - output line 1
# unexpected: (5) authentication failure; logname=test uid=1000 euid=1000 tty= ruser= rhost=
not ok 4 - unexpected output lines
# Starting data/scripts/long/password-debug
#  left: 7
# right: 3
not ok 5 - status for authenticate
ok 6 - output priority 1
ok 7 - output line 1
#  left: 7
# right: 3
not ok 8 - output priority 2
# wanted: /^\(user test\) rejecting password longer than [0-9]+$/
#   seen: (user test) parse_name failed: Configuration file does not specify default realm
not ok 9 - output line 2
ok 10 - output priority 3
ok 11 - output line 3
ok 12 - output priority 4
ok 13 - output line 4
ok 14 - no excess output
# Starting data/scripts/long/use-first
#  left: 7
# right: 3
not ok 15 - status for authenticate
#  left: 5
# right: 3
not ok 16 - output priority 1
#  left: authentication failure; logname=test uid=1000 euid=1000 tty= ruser= rhost=
# right: (user test) parse_name failed: Configuration file does not specify default realm
not ok 17 - output line 1
# unexpected: (5) authentication failure; logname=test uid=1000 euid=1000 tty= ruser= rhost=
not ok 18 - unexpected output lines
# Starting data/scripts/long/use-first-debug
#  left: 7
# right: 3
not ok 19 - status for authenticate
ok 20 - output priority 1
ok 21 - output line 1
#  left: 7
# right: 3
not ok 22 - output priority 2
# wanted: /^\(user test\) rejecting password longer than [0-9]+$/
#   seen: (user test) parse_name failed: Configuration file does not specify default realm
not ok 23 - output line 2
ok 24 - output priority 3
ok 25 - output line 3
ok 26 - output priority 4
ok 27 - output line 4
ok 28 - no excess output
1..28
# Looks like you failed 14 tests of 28

Debugging issue / configuration issue

I am failing to enable the debug mode to get more verbose output why ticket forwarding potentially does not work

I have a elaborated setup description here https://serverfault.com/q/947900/281162

as you see I enable trace, debug and also use rsyslog with *. debug /var/log/debug

neither trace nor debug is working

as you see my configuration works for mod_kerb_auth with apache, also with kinit and so on, so I assume the krb5.conf is fine.

what i wonder about is though, what SPN is required when logging through Pam... for apache mod_kerb_auth it must be HTTP/request-domain

could it be different for Pam krb? I read something about the SPN to be the hostame? does this mean $(hostname - f)@DOMAIN.. how does Pam krb determine the SPN? can I manually set it?

defer_pwchange not evaluated

Hi, I am unsure if this is the correct place.
I've got a debian system with libpam-heimdal:amd64 4.6-1.22.201403250545 which provides pam_krb5.so.

In my PAM stack I define:

auth     sufficient                         pam_krb5.so use_first_pass defer_pwchange

And I still get prompted for the 'New password: ' if the user password has expired when doing authenticate(). The PAM module returns PAM_AUTH_ERR (7) then instead of SUCCESS.
acct_mgmt() returns SUCCESS after the failed authentication/password update.
It works if the user is a samba4 user but not if the user is a Active Directory user.

Option to specify maximum password length

Hello ;-)
If would be nice if pam-krb5 would provide a configuration option to specify a maximum allowed password length.
A client could potentially supply a password which is > 10000000 (or more) characters long. During the hashsum/crypt generation (sha512, sha256, etc.) of the supplied password the process is blocked and therefore allows Denial of Service. Especially in processes where PAM is called in a (e.g. python) thread with global interpreter lock, this blocks the whole process and deadlocks.

The limit should probably be configurable for pam_authenticate(), pam_acct_mgmt() (not sure) and pam_chauthtok().
Nice would be, if the user gets a error message explaining that the maximum password length limit of %d characters was reached.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.