Package: libpam-heimdal
Version: 1.2.0-1
Tags: patch
I have noticed some problems with libpam-heimdal leaving credentials
for users in files owned by root:root with permissions 600 and not
named according to the environment variable KRB5CCNAME. (A variable
PAM_KRB5CCNAME was introduced with the correct name.) This mostly
don't show up for local logins, but is repeatable for logins over ssh.
I have however experienced the erratic also for console logins.
I sent some more details to debian-user [1], before I found out what I
believe causes the problem.
Further, the credentials obtained by logging in via kdm are (still)
not deleted on closing the kde session. This was reported in #344927,
which is about to be archived, but I don't think 1.2.0-1 fixed it.
It seems a minor typo caused a functional discrepancy between
pam_krb5_auth.c in libpam-heimdal and libpam-krb5, which is the cause
of this behaviour. The included patch is against (the dpatched)
pam_krb5_auth.c in libpam-heimdal, and if built with this patch, I
have not noticed any of the erratic behaviour described above.
Anders
[1] http://lists.debian.org/debian-user/2006/04/msg02097.html
--- libpam-heimdal-1.2.0.org/pam_krb5_auth.c 2006-04-17 00:44:00.000000000
+0200
+++ libpam-heimdal-1.2.0/pam_krb5_auth.c 2006-04-17 00:31:44.000000000
+0200
@@ -412,7 +412,8 @@
if ((pamret = set_krb5ccname(ctx, cache_name, "KRB5CCNAME")) !=
PAM_SUCCESS)
goto done;
if (pam_getenv(pamh, "PAM_KRB5CCNAME") != NULL)
- goto done;
+ if ((pamret = pam_putenv(pamh, "PAM_KRB5CCNAME")) != PAM_SUCCESS)
+ goto done;
ctx->initialized = 1;
krb5_cc_destroy(ctx->context, ctx->cache);
