From vangyzen@stat.duke.edu  Fri Mar 19 08:09:28 2004
Return-Path: <vangyzen@stat.duke.edu>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E353716A4CF
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 19 Mar 2004 08:09:28 -0800 (PST)
Received: from which.isds.duke.edu (which.isds.duke.edu [152.3.22.3])
	by mx1.FreeBSD.org (Postfix) with ESMTP id AAEE943D53
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 19 Mar 2004 08:09:28 -0800 (PST)
	(envelope-from vangyzen@stat.duke.edu)
Received: from stat.duke.edu (sinatra.isds.duke.edu [152.3.22.120])
	by which.isds.duke.edu (Postfix) with ESMTP id D225AC3848
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 19 Mar 2004 11:09:27 -0500 (EST)
Received: (from vangyzen@localhost)
	by stat.duke.edu (8.12.10/8.12.10/Submit) id i2JG9P0H046434;
	Fri, 19 Mar 2004 11:09:25 -0500 (EST)
	(envelope-from vangyzen)
Message-Id: <200403191609.i2JG9P0H046434@stat.duke.edu>
Date: Fri, 19 Mar 2004 11:09:25 -0500 (EST)
From: Eric van Gyzen <vangyzen@stat.duke.edu>
Reply-To: Eric van Gyzen <vangyzen@stat.duke.edu>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: pam_krb5 module ignores no_ccache option
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         64464
>Category:       bin
>Synopsis:       pam_krb5 module ignores no_ccache option
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    rwatson
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Mar 19 08:10:05 PST 2004
>Closed-Date:    Fri Nov 10 17:09:57 GMT 2006
>Last-Modified:  Fri Nov 10 17:09:57 GMT 2006
>Originator:     Eric van Gyzen
>Release:        FreeBSD 5.2-RELEASE i386
>Organization:
Duke University Statistics
>Environment:
FreeBSD 5.2-RELEASE

>Description:
The Kerberos 5 PAM module (src/lib/libpam/modules/pam_krb5/pam_krb5.c)
ignores the no_ccache option and always saves the credentials in a file.

>How-To-Repeat:
For example, configure ports/mail/imap-uw to authenticate with Kerberos.
In /etc/pam.d/imap, put:
    auth    required   pam_nologin.so    no_warn
    auth    required   pam_krb5.so       no_warn try_first_pass no_ccache
Contrary to the pam_krb5(8) man page, a credentials cache will be saved
in /tmp/krb5cc_%d.

>Fix:
I'm not familiar enough with PAM and Kerberos to provide a fix.  :(
Maybe in my "spare time"...
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->des 
Responsible-Changed-By: kris 
Responsible-Changed-When: Mon Mar 22 03:35:38 PST 2004 
Responsible-Changed-Why:  
Over to PAM maintainer 

http://www.freebsd.org/cgi/query-pr.cgi?pr=64464 
Responsible-Changed-From-To: des->rwatson 
Responsible-Changed-By: rwatson 
Responsible-Changed-When: Sun Jan 23 16:09:48 GMT 2005 
Responsible-Changed-Why:  
Grab ownership of this PR since I'm cleaning up some related problems 
with pam_krb5. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=64464 

From: Robert Watson <rwatson@freebsd.org>
To: Eric van Gyzen <vangyzen@stat.duke.edu>
Cc: gnats-submit@freebsd.org
Subject: Re: bin/64464: pam_krb5 module ignores no_ccache option
Date: Sun, 23 Jan 2005 16:11:10 +0000 (GMT)

 On Sun, 23 Jan 2005, Robert Watson wrote:
 
 > Synopsis: pam_krb5 module ignores no_ccache option
 > 
 > Responsible-Changed-From-To: des->rwatson
 > Responsible-Changed-By: rwatson
 > Responsible-Changed-When: Sun Jan 23 16:09:48 GMT 2005
 > Responsible-Changed-Why: 
 > Grab ownership of this PR since I'm cleaning up some related problems
 > with pam_krb5.
 
 Could you try the patch below?  It should stop the PAM session code in
 pam_krb5 from creating a persistent cache if the no_ccache option is set.
 Thanks!
 
 Index: pam_krb5.c
 ===================================================================
 RCS file: /home/ncvs/src/lib/libpam/modules/pam_krb5/pam_krb5.c,v
 retrieving revision 1.21
 diff -u -r1.21 pam_krb5.c
 --- pam_krb5.c	23 Jan 2005 15:57:07 -0000	1.21
 +++ pam_krb5.c	23 Jan 2005 16:09:18 -0000
 @@ -362,6 +362,10 @@
  	if (!(flags & PAM_ESTABLISH_CRED))
  		return (PAM_SERVICE_ERR);
  
 +	/* If a persistent cache isn't desired, stop now. */
 +	if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE))
 +		return (PAM_SUCCESS);
 +
  	PAM_LOG("Establishing credentials");
  
  	/* Get username */
 
 
State-Changed-From-To: open->patched 
State-Changed-By: rwatson 
State-Changed-When: Mon Jan 24 16:51:39 GMT 2005 
State-Changed-Why:  
Committed to CVS HEAD as pam_krb5.c:1.21; will be MFC'd to RELENG_5 after 
one week.  Thanks for testing the patch! 


http://www.freebsd.org/cgi/query-pr.cgi?pr=64464 

From: Eric van Gyzen <vangyzen@stat.duke.edu>
To: Robert Watson <rwatson@FreeBSD.org>
Cc: gnats-submit@FreeBSD.org
Subject: Re: bin/64464: pam_krb5 module ignores no_ccache option
Date: Mon, 24 Jan 2005 11:46:06 -0500

 Robert Watson wrote:
 > On Sun, 23 Jan 2005, Robert Watson wrote:
 > 
 > 
 >>Synopsis: pam_krb5 module ignores no_ccache option
 >>
 >>Responsible-Changed-From-To: des->rwatson
 >>Responsible-Changed-By: rwatson
 >>Responsible-Changed-When: Sun Jan 23 16:09:48 GMT 2005
 >>Responsible-Changed-Why: 
 >>Grab ownership of this PR since I'm cleaning up some related problems
 >>with pam_krb5.
 > 
 > 
 > Could you try the patch below?  It should stop the PAM session code in
 > pam_krb5 from creating a persistent cache if the no_ccache option is set.
 
 It works!  Thanks!
 
 Eric
 
State-Changed-From-To: patched->closed 
State-Changed-By: rwatson 
State-Changed-When: Fri Nov 10 17:09:16 UTC 2006 
State-Changed-Why:  
Closed due to positive feedback on fix. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=64464 
>Unformatted:
