libpam-krb5 on Ubuntu 8.04 with MIT Kerberos and PKINIT

Douglas E. Engert deengert at
Thu May 15 15:52:10 EDT 2008

Russ Allbery wrote:
> "Douglas E. Engert" <deengert at> writes:
>> I was trying to get the PKINIT working on Ubuntu 8.04
>> which comes with:
>>     libpam-krb5 3.10-1
>>     krb5-pkinit 1.6.dfsg.3~beta1-2ubuntu1
>> I had to make a change to the libpam-krb5 auth.c to remove a test for
>> a bug that appears to be fixed in krb5-1.6.3 I just changed the #ifdef
>> to not include the call to clear out the opts structure.
> The bug was fixed in 1.6.3, but I didn't think it was fixed in such a way
> as to make that code break anything. Not running that fixed something?

The pkinit would not work with the call krb5_get_init_creds_opt_init(opts)
code being called. It looks like it sets the
and thus looses the KRB5_GET_INIT_CREDS_OPT_EXTENDED flag. Not sure
if krb5_get_init_creds_opt_set_pa failed or stored something.

In any case, the PKINIT worked when I remove the call the

> Does MIT now do what Heimdal does and zero out the allocated memory as
> well when one runs opt_init?

I believe so, it looks like calloc is used by krb5int_gic_opte_alloc and
krb5int_gic_opte_private_alloc in 1.6.3-beta1

I would hope one of the MIT people could comment.



  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list