Bug 10966 - imapd with krb5 auth. leaves behind tickets in /tmp
imapd with krb5 auth. leaves behind tickets in /tmp
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: pam_krb5 (Show other bugs)
6.2
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-04-21 11:43 EDT by Chris Rode
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-05-12 12:22:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Chris Rode 2000-04-21 11:43:50 EDT
When using imapd with pam_krb5.so for authentication, imapd doesn't clean
up the ticket caches in /tmp.  This leaves behind a huge mess on a busy
system.  The following patch fixes:

--- imap-4.7/src/osdep/unix/ckp_pam.c.orig      Mon Dec 14 22:04:09 1998
+++ imap-4.7/src/osdep/unix/ckp_pam.c   Fri Apr 21 08:33:09 2000
@@ -96,9 +96,11 @@
       (pam_authenticate (hdl,NIL) != PAM_SUCCESS) ||
       (pam_acct_mgmt (hdl,NIL) != PAM_SUCCESS) ||
       (pam_setcred (hdl,PAM_ESTABLISH_CRED) != PAM_SUCCESS)) {
+    pam_setcred (hdl,PAM_DELETE_CRED);
     pam_end (hdl,PAM_AUTH_ERR);        /* failed */
     return NIL;
   }
+  pam_setcred (hdl,PAM_DELETE_CRED);
   pam_end (hdl,PAM_SUCCESS);   /* return success */
   return pw;
 }
--- imap-4.7/src/osdep/unix/ckp_pmb.c.orig      Thu Apr 29 23:29:55 1999
+++ imap-4.7/src/osdep/unix/ckp_pmb.c   Fri Apr 21 08:33:31 2000
@@ -92,9 +92,11 @@
       (pam_authenticate (hdl,NIL) != PAM_SUCCESS) ||
       (pam_acct_mgmt (hdl,NIL) != PAM_SUCCESS) ||
       (pam_setcred (hdl,PAM_ESTABLISH_CRED) != PAM_SUCCESS)) {
+    pam_setcred (hdl,PAM_DELETE_CRED);
     pam_end (hdl,PAM_AUTH_ERR);        /* failed */
     return NIL;
   }
+  pam_setcred (hdl,PAM_DELETE_CRED);
   pam_end (hdl,PAM_SUCCESS);   /* return success */
   return pw;
 }
Comment 1 Nalin Dahyabhai 2000-05-11 18:35:59 EDT
This may actually be a pam_krb5 bug.  What are the contents of your
/etc/pam.d/imap file?
Comment 2 Chris Rode 2000-05-12 12:22:59 EDT
My imap PAM config looks like:

[(26) root@vir /etc/pam.d]# cat imap
#%PAM-1.0

auth            sufficient      /lib/security/pam_krb5.so
auth            required        /lib/security/pam_unix.so shadow try_first_pass

account         required        /lib/security/pam_unix.so

session         required        /lib/security/pam_krb5.so
Comment 3 Nalin Dahyabhai 2001-08-30 17:45:21 EDT
This should be fixed with the current set of imap errata packages.

Note You need to log in before you can comment on or make changes to this bug.