← Back to team overview

desktop-packages team mailing list archive

  1. desktop-packages team
  2. Mailing list archive
  3. Message #90340

[Bug 1336663] Re: lightdm uses wrong ccache name on pam_krb5 credentials refresh

  Thread PreviousDate PreviousThread Next 
Hello again,

Thanks @Sergio for the krenew tip.

I'd rather not automatically renew a user ticket without having him
supply its password from time to time.

I came up with a *horrible* workaround which I believe does not break
the entire Kerberos security (please correct me if I'm wrong):


In /etc/pam.d/common-auth:
auth optional pam_script.so dir=/etc/security/pam-script.d


In /etc/security/pam-script.d/pam_script_auth:
#!/bin/sh

## Kerberos 5 credential cache (ticket) hack
#  REF: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1336663
sh -c "sleep 3; PAM_USER=${PAM_USER} /etc/security/pam-script.d/krb5cc_rename" &


In /etc/security/pam-script.d/krb5cc_rename:
#!/bin/sh

## Kerberos 5 credential cache (ticket) hack
#  REF: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1336663

# Parameters
KRB5CC_DIR='/tmp'

# Look for matching - although misnamed - credential cache
# ... retrieve user UID
KRB5CC_UID="$(id -u "${PAM_USER}")"
[ -z "${KRB5CC_UID}" ] && echo 'ERROR: Failed to retrieve user UID' && exit 1
# ... look for user matching/misnamed ticket
KRB5CC_SRC="$(find "${KRB5CC_DIR}" -maxdepth 1 -uid "${KRB5CC_UID}" -name 'krb5cc_0')"
[ -z "${KRB5CC_SRC}" ] && echo 'INFO: No matching/misnamed Kerberos 5 ticket found' && exit 0
# ... look for *older* user ticket (do not replace a newer one)
KRB5CC_DST="$(find "${KRB5CC_DIR}" -maxdepth 1 -uid "${KRB5CC_UID}" -name "krb5cc_${KRB5CC_UID}_*" -not -newer "${KRB5CC_SRC}" | head -n 1)"
[ -z "${KRB5CC_DST}" ] && echo 'INFO: No previous/user Kerberos 5 ticket found' && exit 0
# ... check Kerberos principal matches (just to be on the safe side; let's not rely only on files ownership)
[ "$(klist "${KRB5CC_SRC}" | grep '^Default principal:')" != "$(klist "${KRB5CC_DST}" | grep '^Default principal:')" ] && echo 'ERROR: Mismatched principal' && exit 1

# Replace user credential cache by matching/misnamed one
mv "${KRB5CC_SRC}" "${KRB5CC_DST}"
[ $? -ne 0 ] && echo 'ERROR: Failed to rename matching/misnamed Kerberos 5 ticket' && exit 1
echo 'INFO: Successfully renamed matching/misnamed Kerberos 5 ticket'
exit 0


The 'sh -c "sleep 3; ..."' is required to handle the fact that the misnamed ticket is created only after pam_script is invoked (I guess when pam_end is called).

Gut-wrenching... but working :-/

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1336663

Title:
  lightdm uses wrong ccache name on pam_krb5 credentials refresh

Status in Light Display Manager:
  Triaged
Status in libpam-krb5 package in Ubuntu:
  Confirmed
Status in lightdm package in Ubuntu:
  Triaged

Bug description:
  As already noted by Brian Knoll in https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1296276/comments/24
  lightdm 1.10.1-0ubuntu1 uses an inappropriate credentials cache, /tmp/krb5cc_0, when refreshing Kerberos credentials on screen unlock.

  I couldn't find the new bug Robert Ancell called for in
  https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1296276/comments/27
  so I'm opening one now.

To manage notifications about this bug go to:
https://bugs.launchpad.net/lightdm/+bug/1336663/+subscriptions
  Thread PreviousDate PreviousThread Next