[19742] in Kerberos
Re: which krb5 PAM module on Solaris 8?
daemon@ATHENA.MIT.EDU (Balazs GAL)
Fri Aug 1 18:52:09 2003
Message-ID: <3F2AEE30.5080900@rit.bme.hu>
Date: Sat, 02 Aug 2003 00:48:16 +0200
From: Balazs GAL <balsa@rit.bme.hu>
MIME-Version: 1.0
To: Sam Hartman <hartmans@MIT.EDU>, kerberos@MIT.EDU,
mooney@dogbert.cc.ndsu.NoDak.edu
In-Reply-To: <tslr846tmny.fsf@konishi-polis.mit.edu>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Errors-To: kerberos-bounces@mit.edu
Sam Hartman írta:
> I think that the PAM module with the most potential is the one in the
> Linux-PAM repository on sourceforge. I'm not sure it's really usable
> in its current form.
In what state is it? :
gcc -c -fpic -g -O2 -I/usr/include -I/usr/include pam_krb5_auth.c
pam_krb5_auth.c:123:45: pasting "pam_krb5_debug" and "(" does not give a
valid preprocessing token
pam_krb5_auth.c:132:67: pasting "pam_krb5_log" and "(" does not give a
valid preprocessing token
pam_krb5_auth.c:167:39: pasting "pam_krb5_debug" and "(" does not give a
valid preprocessing token
pam_krb5_auth.c:175:35: pasting "pam_krb5_debug" and "(" does not give a
valid preprocessing token
pam_krb5_auth.c:183:35: pasting "pam_krb5_debug" and "(" does not give a
valid preprocessing token
pam_krb5_auth.c:187:38: pasting "pam_krb5_debug" and "(" does not give a
valid preprocessing token
pam_krb5_auth.c:209:71: pasting "pam_krb5_debug" and "(" does not give a
valid preprocessing token
pam_krb5_auth.c:212:50: pasting "pam_krb5_debug" and "(" does not give a
valid preprocessing token
pam_krb5_auth.c:224:77: pasting "pam_krb5_debug" and "(" does not give a
valid preprocessing token
pam_krb5_auth.c:247:50: pasting "pam_krb5_log" and "(" does not give a
valid preprocessing token
pam_krb5_auth.c:253:47: pasting "pam_krb5_debug" and "(" does not give a
valid preprocessing token
pam_krb5_auth.c:268:35: pasting "pam_krb5_log" and "(" does not give a
valid preprocessing token
pam_krb5_auth.c:297:57: pasting "pam_krb5_debug" and "(" does not give a
valid preprocessing token
pam_krb5_auth.c:301:38: pasting "pam_krb5_debug" and "(" does not give a
valid preprocessing token
pam_krb5_auth.c:332:50: pasting "pam_krb5_debug" and "(" does not give a
valid preprocessing token
pam_krb5_auth.c:340:54: pasting "pam_krb5_debug" and "(" does not give a
valid preprocessing token
pam_krb5_auth.c:360:39: pasting "pam_krb5_debug" and "(" does not give a
valid preprocessing token
pam_krb5_auth.c:363:70: pasting "pam_krb5_debug" and "(" does not give a
valid preprocessing token
pam_krb5_auth.c:367:51: pasting "pam_krb5_debug" and "(" does not give a
valid preprocessing token
pam_krb5_auth.c:374:51: pasting "pam_krb5_debug" and "(" does not give a
valid preprocessing token
pam_krb5_auth.c:380:70: pasting "pam_krb5_debug" and "(" does not give a
valid preprocessing token
pam_krb5_auth.c:405:30: pasting "pam_krb5_debug" and "(" does not give a
valid preprocessing token
pam_krb5_auth.c:412:34: pasting "pam_krb5_debug" and "(" does not give a
valid preprocessing token
pam_krb5_auth.c:420:34: pasting "pam_krb5_debug" and "(" does not give a
valid preprocessing token
pam_krb5_auth.c:427:64: pasting "pam_krb5_debug" and "(" does not give a
valid preprocessing token
pam_krb5_auth.c:434:45: pasting "pam_krb5_debug" and "(" does not give a
valid preprocessing token
make: *** [pam_krb5_auth.o] Error 1
Or something from it's mail archive:
http://mailman.mit.edu/pipermail/kerberos/2003-February/002556.html
"""
It appears I've stumbled across a security hole in pam_krb5-1.0.3 . This
occurs in the latest cvs found at
pserver:anonymous at cvs.sourceforge.net:/cvsroot/pam
When I use the module above on a Solaris 8 machine, I get the following
behavior:
<jfh at waterspout:/cise/sys/src0/jfh/kerberos/pam_krb5-1.0> 1876 :
su - jfhmtest
Password for jfhmtest at CISE.UFL.EDU:
waterspout% id
uid=0(root) gid=50(stdnt) euid=7048(jfhmtest)
The uid of the target user is 0, instead of 7048 .
[...]
"""
I dont say, that this is not a great tool.
The authors of it are excellent peoples with very good knowledge!
It's GREAT, but not maintained since 2001.
balsa
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
