pam_krb5 3.9 bug in account management ?

Markus Moeller huaraz at moeller.plus.com
Sat Jan 19 10:49:51 EST 2008


Russ,


I think in api-account.c in line 60 the PAM_SUCCESS should be changed to 
PAM_IGNORE, otherwise if you stack pam modules like:

other account sufficient pam_krb5
other account required pam_unix

and check for a local non Kerberos user the account management by pam_unix 
(password expiry, etc..) will be ignored.

    /*
     * Succeed if the user did not use krb5 to login.  Yes, ideally we 
should
     * probably fail and require that the user set up policy properly in 
their
     * PAM configuration, but it's not common for the user to do so and 
that's
     * not how other krb5 PAM modules work.  If we don't do this, root 
logins
     * with the system root password fail, which is a bad failure mode.
     */
    if (pamret != PAM_SUCCESS || args->ctx == NULL) {
        pamret = PAM_SUCCESS; 
<= should be PAM_IGNORE
        pamk5_debug(args, "skipping non-Kerberos login");
        goto done;
    }



Markus 





More information about the Kerberos mailing list