pam_krb5 3.9 bug in account management ?
Markus Moeller
huaraz at moeller.plus.com
Sat Jan 19 10:49:51 EST 2008
Russ,
I think in api-account.c in line 60 the PAM_SUCCESS should be changed to
PAM_IGNORE, otherwise if you stack pam modules like:
other account sufficient pam_krb5
other account required pam_unix
and check for a local non Kerberos user the account management by pam_unix
(password expiry, etc..) will be ignored.
/*
* Succeed if the user did not use krb5 to login. Yes, ideally we
should
* probably fail and require that the user set up policy properly in
their
* PAM configuration, but it's not common for the user to do so and
that's
* not how other krb5 PAM modules work. If we don't do this, root
logins
* with the system root password fail, which is a bad failure mode.
*/
if (pamret != PAM_SUCCESS || args->ctx == NULL) {
pamret = PAM_SUCCESS;
<= should be PAM_IGNORE
pamk5_debug(args, "skipping non-Kerberos login");
goto done;
}
Markus
More information about the Kerberos
mailing list