Re: kerberos issues with 10.0_BETA post openssl update

To: Taylor R Campbell <riastradh%NetBSD.org@localhost>
Subject: Re: kerberos issues with 10.0_BETA post openssl update
From: Mark Davies <mark%ecs.vuw.ac.nz@localhost>
Date: Wed, 6 Sep 2023 16:41:00 +1200



On 6/09/23 12:09, Mark Davies wrote:

The problem with that one is that su doesn't actually die, the pam_ksujust errors in some way so that pam abandons it and moves on to otherauthentication types, and I can't ktrace it as su is a suid program soI'll probably have to stuff some more debugging into pam_ksu.c to tryand narrow it down.

OK, so revision 1.10 of pam_ksu.c adds a call tokrb5_set_home_dir_access(NULL, FALSE);which causes the subsequent call to krb5_kuserok() to return false whenpreviously it would return true causing the whole pam_ksu to bail.

krb5_kuserok() is presuambly now returning false because if it can'taccess the homedir it can't read /root/.k5login to see thatmark/root%ECS.VUW.AC.NZ@localhost is allowed.


cheers
mark

Follow-Ups:
- Re: kerberos issues with 10.0_BETA post openssl update
  - From: Taylor R Campbell

References:
- Re: kerberos issues with 10.0_BETA post openssl update
  - From: Taylor R Campbell
- Re: kerberos issues with 10.0_BETA post openssl update
  - From: Mark Davies

Prev by Date: daily CVS update output
Next by Date: Re: kerberos issues with 10.0_BETA post openssl update
Previous by Thread: Re: kerberos issues with 10.0_BETA post openssl update
Next by Thread: Re: kerberos issues with 10.0_BETA post openssl update
Indexes:

Home | Main Index | Thread Index | Old Index