pam_krb5 3.9 bug in account management ?

Russ Allbery rra at stanford.edu
Sat Jan 19 15:19:48 EST 2008


Resending this to the list.

"Markus Moeller" <huaraz at moeller.plus.com> writes:

> I think in api-account.c in line 60 the PAM_SUCCESS should be changed to
> PAM_IGNORE, otherwise if you stack pam modules like:
>
> other account sufficient pam_krb5
> other account required pam_unix
>
> and check for a local non Kerberos user the account management by pam_unix
> (password expiry, etc..) will be ignored.

I would agree with you except PAM_IGNORE is not a permissible return code
for a PAM module according to the Linux PAM standard, which is as close to
a standard as we have.

Normally, you don't need to do the above.  Other things don't work if the
user doesn't have a basic existence in the nsswitch setup for the system,
at which point pam_unix's account module will succeed.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list