Ubuntu
libpam-krb5 package

  1. Bug #1336663
  2. Comment #9

Comment 9 for bug 1336663

Revision history for this message
Cédric Dufour (cedric.dufour) wrote :

Hello again,

Thanks @Sergio for the krenew tip.

I'd rather not automatically renew a user ticket without having him supply its password from time to time.

I came up with a *horrible* workaround which I believe does not break the entire Kerberos security (please correct me if I'm wrong):

In /etc/pam.d/common-auth:
auth optional pam_script.so dir=/etc/security/pam-script.d

In /etc/security/pam-script.d/pam_script_auth:
#!/bin/sh

## Kerberos 5 credential cache (ticket) hack
# REF: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1336663
sh -c "sleep 3; PAM_USER=${PAM_USER} /etc/security/pam-script.d/krb5cc_rename" &

In /etc/security/pam-script.d/krb5cc_rename:
#!/bin/sh

## Kerberos 5 credential cache (ticket) hack
# REF: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1336663

# Parameters
KRB5CC_DIR='/tmp'

# Look for matching - although misnamed - credential cache
# ... retrieve user UID
KRB5CC_UID="$(id -u "${PAM_USER}")"
[ -z "${KRB5CC_UID}" ] && echo 'ERROR: Failed to retrieve user UID' && exit 1
# ... look for user matching/misnamed ticket
KRB5CC_SRC="$(find "${KRB5CC_DIR}" -maxdepth 1 -uid "${KRB5CC_UID}" -name 'krb5cc_0')"
[ -z "${KRB5CC_SRC}" ] && echo 'INFO: No matching/misnamed Kerberos 5 ticket found' && exit 0
# ... look for *older* user ticket (do not replace a newer one)
KRB5CC_DST="$(find "${KRB5CC_DIR}" -maxdepth 1 -uid "${KRB5CC_UID}" -name "krb5cc_${KRB5CC_UID}_*" -not -newer "${KRB5CC_SRC}" | head -n 1)"
[ -z "${KRB5CC_DST}" ] && echo 'INFO: No previous/user Kerberos 5 ticket found' && exit 0
# ... check Kerberos principal matches (just to be on the safe side; let's not rely only on files ownership)
[ "$(klist "${KRB5CC_SRC}" | grep '^Default principal:')" != "$(klist "${KRB5CC_DST}" | grep '^Default principal:')" ] && echo 'ERROR: Mismatched principal' && exit 1

# Replace user credential cache by matching/misnamed one
mv "${KRB5CC_SRC}" "${KRB5CC_DST}"
[ $? -ne 0 ] && echo 'ERROR: Failed to rename matching/misnamed Kerberos 5 ticket' && exit 1
echo 'INFO: Successfully renamed matching/misnamed Kerberos 5 ticket'
exit 0

The 'sh -c "sleep 3; ..."' is required to handle the fact that the misnamed ticket is created only after pam_script is invoked (I guess when pam_end is called).

Gut-wrenching... but working :-/