On Wed, 19 May 2004, Chip Coldwell wrote: > > So we should either remove this hunk from libpam-heimdal so that it > doesn't care if the ccache exists already, or xdm should not call > pam_setcred twice (once for authentication and once for session).
After some more investigation, I've decided that the right solution is to remove one of the two pam_setcred calls from xdm. The reason is that pam_setcred as implemented by libpam-heimdal's pam_krb5 module creates a credentials cache in /tmp/krb5cc_XXXXXX using tmpnam(3) and then sets the value of the environment variable KRB5CCNAME to the name of this file. If pam_setcred is called twice, two files with different names (containing the same credentials) are created, but the environment variable only holds one filename, of course (its value is overwritten by the second call to pam_setcred). Therefore, a call to kdestroy(1) will only destroy one of the two credentials caches -- leaving the other one in /tmp even after a logout. This is a security risk and definitely not desirable. The question of which of the two pam_setcred calls to remove depends on the exact semantics of how PAM expects this function to be used. Even though holding a credentials cache for the duration of a login sounds like a session function, as far as I can tell, pam_setcred is part of the authentication component of PAM. Therefore if we want to stick to the authentication semantics, then the right pam_setcred call to remove is the one in xc/programs/xdm/session.c Additionally, I would argue that holding a credentials cache really should be a function of the session component of the pam_krb5 module. Right now the open_session and close_session functions in pam_krb5 (from libpam-heimdal) are no-ops .... Chip -- Charles M. "Chip" Coldwell System Administrator Harvard Physics Department 617-495-3388
