Subject: Possible problem in pam_krb5
To: None <tech-security@NetBSD.org>
From: Luke Mewburn <lukem@NetBSD.org>
List: tech-security
Date: 09/19/2005 10:18:39
--nWclrlgqnAApBvUd
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Hi all:

A while ago I was examining the source to various PAM modules
learning how to write a custom one that changes PAM_USER
(which is supported).
Part of this research resulted in my submission of:
	PR 30608 sshd doesn't honour PAM modules changing PAM_USER

Another part of my research leads me to believe that pam_krb5 isn't
correctly dealing with the user name being changed by itself _internally_.

See around line 207:

	/* Verify the local user exists (AFTER getting the password) */
	if (strchr(user, '@')) {
		/* get a local account name for this principal */
		krbret = krb5_aname_to_localname(pam_context, princ,
		    sizeof(luser), luser);
			// [...]
		retval = pam_set_item(pamh, PAM_USER, luser);
			// [...]
	}
	if (getpwnam_r(user,	// [...]

AFAICT, the getpwnam_r() may attempt to lookup a local username
of the form "user/foo@bar.com", which will fail, since krb5
is a PAM authentication service not an nsswitch name service,
so the getpwnam_r() of "user/foo@bar.com" will fail.

Or have I missed something?

Cheers,
Luke.

--nWclrlgqnAApBvUd
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (NetBSD)

iD8DBQFDLgPfpBhtmn8zJHIRAmrwAJ4mmbDFETfBuBqMnQAxKbQKyyAnRACgqPVX
BnKomtrhUriOwL3W5F4plx4=
=7x3y
-----END PGP SIGNATURE-----

--nWclrlgqnAApBvUd--