Password expiration
Jacques A. Vidrine
nectar at celabo.org
Fri Mar 7 12:26:13 EST 2003
On Fri, Mar 07, 2003 at 11:31:34AM -0500, James F.Hranicky wrote:
> Is anyone actually using the password expiration features of Kerberos?
For what it's worth, the password expiration features worked
previously with login, sshd, pam_krb5 and Heimdal on FreeBSD and
Linux.
[snip]
> - buggy pam_krb5-1.0.3 module: I just recently sent in a patch
> that fixed a simple pointer bug in the module causing
> segfaults whenever the libraries returned any messages
> (e.g., "Your password will expire...", "Your password has expired")
I'd be careful here. The Linux-PAM and Solaris PAM implementations
interpret that pointer differently. I know it was correct for
Linux-PAM, and I thought that Nico had checked it out for Solaris as
well.
> - buggy PAM programs:
>
> o the PAM patch for XDM causes a segfault when the
> (struct pam_message **) msg argument contains more than
> one message due to incorrect pointer dereference (derefs
> msg[count]->msg instead of msg[0][count].msg). I fixed
> that, but I'm getting another segfault elsewhere
Yeah, that's the same issue.
Cross-platform PAM can be hard to get right, and many applications
have really poor PAM support. I'm sorry to say that I mostly gave up
on the issue and simply integrated the PAM/Kerberos 5 support we
(FreeBSD) need into the base system. (something had to give)
However, if you have time and energy, people will learn to love you
for fixing their PAM problems :)
Cheers,
--
Jacques A. Vidrine <nectar at celabo.org> http://www.celabo.org/
NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos
jvidrine at verio.net . nectar at FreeBSD.org . nectar at kth.se
More information about the Kerberos
mailing list