[29110] in Kerberos
pam_krb5 3.9 bug in account management ?
daemon@ATHENA.MIT.EDU (Markus Moeller)
Sat Jan 19 10:50:47 2008
To: kerberos@mit.edu
From: "Markus Moeller" <huaraz@moeller.plus.com>
Date: Sat, 19 Jan 2008 15:49:51 -0000
Message-ID: <fmt67g$fch$1@ger.gmane.org>
Mime-Version: 1.0
X-Complaints-To: usenet@ger.gmane.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Russ,
I think in api-account.c in line 60 the PAM_SUCCESS should be changed to
PAM_IGNORE, otherwise if you stack pam modules like:
other account sufficient pam_krb5
other account required pam_unix
and check for a local non Kerberos user the account management by pam_unix
(password expiry, etc..) will be ignored.
/*
* Succeed if the user did not use krb5 to login. Yes, ideally we
should
* probably fail and require that the user set up policy properly in
their
* PAM configuration, but it's not common for the user to do so and
that's
* not how other krb5 PAM modules work. If we don't do this, root
logins
* with the system root password fail, which is a bad failure mode.
*/
if (pamret != PAM_SUCCESS || args->ctx == NULL) {
pamret = PAM_SUCCESS;
<= should be PAM_IGNORE
pamk5_debug(args, "skipping non-Kerberos login");
goto done;
}
Markus
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
