Subject: Possible problem in pam_krb5
To: None <>
From: Luke Mewburn <>
List: tech-security
Date: 09/19/2005 10:18:39
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Hi all:

A while ago I was examining the source to various PAM modules
learning how to write a custom one that changes PAM_USER
(which is supported).
Part of this research resulted in my submission of:
	PR 30608 sshd doesn't honour PAM modules changing PAM_USER

Another part of my research leads me to believe that pam_krb5 isn't
correctly dealing with the user name being changed by itself _internally_.

See around line 207:

	/* Verify the local user exists (AFTER getting the password) */
	if (strchr(user, '@')) {
		/* get a local account name for this principal */
		krbret = krb5_aname_to_localname(pam_context, princ,
		    sizeof(luser), luser);
			// [...]
		retval = pam_set_item(pamh, PAM_USER, luser);
			// [...]
	if (getpwnam_r(user,	// [...]

AFAICT, the getpwnam_r() may attempt to lookup a local username
of the form "user/", which will fail, since krb5
is a PAM authentication service not an nsswitch name service,
so the getpwnam_r() of "user/" will fail.

Or have I missed something?


Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.4.1 (NetBSD)