Bug 10966

Summary: imapd with krb5 auth. leaves behind tickets in /tmp
Product: [Retired] Red Hat Linux Reporter: Chris Rode <electro>
Component: pam_krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2000-05-12 16:22:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chris Rode 2000-04-21 15:43:50 UTC 
When using imapd with pam_krb5.so for authentication, imapd doesn't clean
up the ticket caches in /tmp.  This leaves behind a huge mess on a busy
system.  The following patch fixes:

--- imap-4.7/src/osdep/unix/ckp_pam.c.orig      Mon Dec 14 22:04:09 1998
+++ imap-4.7/src/osdep/unix/ckp_pam.c   Fri Apr 21 08:33:09 2000
@@ -96,9 +96,11 @@
       (pam_authenticate (hdl,NIL) != PAM_SUCCESS) ||
       (pam_acct_mgmt (hdl,NIL) != PAM_SUCCESS) ||
       (pam_setcred (hdl,PAM_ESTABLISH_CRED) != PAM_SUCCESS)) {
+    pam_setcred (hdl,PAM_DELETE_CRED);
     pam_end (hdl,PAM_AUTH_ERR);        /* failed */
     return NIL;
   }
+  pam_setcred (hdl,PAM_DELETE_CRED);
   pam_end (hdl,PAM_SUCCESS);   /* return success */
   return pw;
 }
--- imap-4.7/src/osdep/unix/ckp_pmb.c.orig      Thu Apr 29 23:29:55 1999
+++ imap-4.7/src/osdep/unix/ckp_pmb.c   Fri Apr 21 08:33:31 2000
@@ -92,9 +92,11 @@
       (pam_authenticate (hdl,NIL) != PAM_SUCCESS) ||
       (pam_acct_mgmt (hdl,NIL) != PAM_SUCCESS) ||
       (pam_setcred (hdl,PAM_ESTABLISH_CRED) != PAM_SUCCESS)) {
+    pam_setcred (hdl,PAM_DELETE_CRED);
     pam_end (hdl,PAM_AUTH_ERR);        /* failed */
     return NIL;
   }
+  pam_setcred (hdl,PAM_DELETE_CRED);
   pam_end (hdl,PAM_SUCCESS);   /* return success */
   return pw;
 }
Comment 1 Nalin Dahyabhai 2000-05-11 22:35:59 UTC 
This may actually be a pam_krb5 bug.  What are the contents of your
/etc/pam.d/imap file?
Comment 2 Chris Rode 2000-05-12 16:22:59 UTC 
My imap PAM config looks like:

[(26) root@vir /etc/pam.d]# cat imap
#%PAM-1.0

auth            sufficient      /lib/security/pam_krb5.so
auth            required        /lib/security/pam_unix.so shadow try_first_pass

account         required        /lib/security/pam_unix.so

session         required        /lib/security/pam_krb5.so
Comment 3 Nalin Dahyabhai 2001-08-30 21:45:21 UTC 
This should be fixed with the current set of imap errata packages.