Subject: Re: Possible problem in pam_krb5
To: Luke Mewburn <>
From: John Nemeth <>
List: tech-security
Date: 09/20/2005 04:12:00
On Feb 9,  4:54am, Luke Mewburn wrote:
} A while ago I was examining the source to various PAM modules
} learning how to write a custom one that changes PAM_USER
} (which is supported).
} Part of this research resulted in my submission of:
} 	PR 30608 sshd doesn't honour PAM modules changing PAM_USER
} Another part of my research leads me to believe that pam_krb5 isn't
} correctly dealing with the user name being changed by itself _internally_.
} See around line 207:
} 	/* Verify the local user exists (AFTER getting the password) */
} 	if (strchr(user, '@')) {
} 		/* get a local account name for this principal */
} 		krbret = krb5_aname_to_localname(pam_context, princ,
} 		    sizeof(luser), luser);
} 			// [...]
} 		retval = pam_set_item(pamh, PAM_USER, luser);
} 			// [...]
} 	}
} 	if (getpwnam_r(user,	// [...]
} AFAICT, the getpwnam_r() may attempt to lookup a local username
} of the form "user/", which will fail, since krb5

     It does appear that this can happen.

} is a PAM authentication service not an nsswitch name service,
} so the getpwnam_r() of "user/" will fail.

     Whether it fails would depend on what nsswitch name service
modules are installed and what they do.

} Or have I missed something?

     The possibility that an nsswitch name service module that can
handle "user/" may be installed.  Whether or not this is the
right thing to do, I have no idea since I don't know much about
kerberos.  If it is the wrong thing, then it appears that the
getpwnam_r line should be something like:
getpwnam_r(*luser ? luser : user, [...] .  Of course, luser would have
to be initialised.

}-- End of excerpt from Luke Mewburn