[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-sun
Subject:    Re: SEAM, KRB5 and phrase length
From:       Neil Long <neil.long () COMPUTING-SERVICES ! OXFORD ! AC ! UK>
Date:       2001-04-04 10:14:33
[Download RAW message or body]

On Dec 18, 12:52pm, Darren Moffat wrote:
> Subject: Re: SEAM, KRB5 and phrase length
> >Is there a length limit for pam and is this configurable? If not is
> >there a list of problem characters for the dtlogin (i.e. CDE front
> >end)?
>
> This is bug# 4373142 which has been fixed for the next release of Solaris
> (the pam module is part of core Solaris from Solaris 8 onwards).
>
> I believe there are plans to release a patch if you are interested in
> this they you need to log a call with your local Sun Enterprise Services
> centre and explain you are interested in a patch for bug# 4373142.
>
> --
> Darren J Moffat
>-- End of excerpt from Darren Moffat

Hello

Such a patch does seem to have appeared for Solaris 8 - 109805
This is currently at 109805-03 but appears to break the use of Kerberos5
authentication unless the local password and the K5 passwd are the same.

To recap:

Solaris 8 with the SEAM libraries installed [no patch 109805]
minor change to /etc/pam.conf to enable


dtlogin auth optional   /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1

(Warning - do not enable 'other' if you are testing as 'su' will
be disabled if you have the same problem as I am having - read on!)

This works fine for the CDE dtlogin provided that the kerberos
password is 8 characters or less (not too smart). Note that if the
local password and Kerberos password differ then you will be correctly
prompted via dtlogin. I.e. it is required that the local password is
good and then after the optional Kerberos password is entered the
tickets will be collected ready and waiting.

If 109805-02 or 109805-03 are applied the only way to login and collect
tickets is for the local password and the Kerberos password to be
identical. If they are not there is no prompt for the kerberos password
i.e. the second try no longer happens.

It is even worse if su is used (i.e. 'other' enabled for kerberos) as
it exits and you are stuck (unless you have another shell open ahead
of applying the patch - the MIT kerberised 'su' will work since that
is not PAM-aware.

The problem is that the above patches are now appearing in the patch
bundles for Solaris 8.

Can anyone else confirm this behaviour? I have tried backing out
patches (i.e. no 109805-*) and double checking but can't get around
the problems above.

The only way I can see to use the longer phrase (256 chars by default)
for kerberos tickets is to comment out the pam.conf lines and get the
tickets after normal login.

regards
Neil

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Dr Neil J Long, Computing Services, University of Oxford
 13 Banbury Road, Oxford, OX2 6NN, UK Tel:+44 1865 273232 Fax:+44 1865 273275
 EMail:       Neil.Long@computing-services.oxford.ac.uk
 PGP:    ID 0xE88EF71F    OxCERT: oxcert@ox.ac.uk PGP: ID 0x9FF898D5

[prev in list] [next in list] [prev in thread] [next in thread]