Bug 10966 - imapd with krb5 auth. leaves behind tickets in /tmp
Summary: imapd with krb5 auth. leaves behind tickets in /tmp
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: pam_krb5
Version: 6.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-04-21 15:43 UTC by Chris Rode
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2000-05-12 16:22:13 UTC
Embargoed:

Attachments (Terms of Use)

Description Chris Rode 2000-04-21 15:43:50 UTC 
When using imapd with pam_krb5.so for authentication, imapd doesn't clean
up the ticket caches in /tmp.  This leaves behind a huge mess on a busy
system.  The following patch fixes:

--- imap-4.7/src/osdep/unix/ckp_pam.c.orig      Mon Dec 14 22:04:09 1998
+++ imap-4.7/src/osdep/unix/ckp_pam.c   Fri Apr 21 08:33:09 2000
@@ -96,9 +96,11 @@
       (pam_authenticate (hdl,NIL) != PAM_SUCCESS) ||
       (pam_acct_mgmt (hdl,NIL) != PAM_SUCCESS) ||
       (pam_setcred (hdl,PAM_ESTABLISH_CRED) != PAM_SUCCESS)) {
+    pam_setcred (hdl,PAM_DELETE_CRED);
     pam_end (hdl,PAM_AUTH_ERR);        /* failed */
     return NIL;
   }
+  pam_setcred (hdl,PAM_DELETE_CRED);
   pam_end (hdl,PAM_SUCCESS);   /* return success */
   return pw;
 }
--- imap-4.7/src/osdep/unix/ckp_pmb.c.orig      Thu Apr 29 23:29:55 1999
+++ imap-4.7/src/osdep/unix/ckp_pmb.c   Fri Apr 21 08:33:31 2000
@@ -92,9 +92,11 @@
       (pam_authenticate (hdl,NIL) != PAM_SUCCESS) ||
       (pam_acct_mgmt (hdl,NIL) != PAM_SUCCESS) ||
       (pam_setcred (hdl,PAM_ESTABLISH_CRED) != PAM_SUCCESS)) {
+    pam_setcred (hdl,PAM_DELETE_CRED);
     pam_end (hdl,PAM_AUTH_ERR);        /* failed */
     return NIL;
   }
+  pam_setcred (hdl,PAM_DELETE_CRED);
   pam_end (hdl,PAM_SUCCESS);   /* return success */
   return pw;
 }
Comment 1 Nalin Dahyabhai 2000-05-11 22:35:59 UTC 
This may actually be a pam_krb5 bug.  What are the contents of your
/etc/pam.d/imap file?
Comment 2 Chris Rode 2000-05-12 16:22:59 UTC 
My imap PAM config looks like:

[(26) root@vir /etc/pam.d]# cat imap
#%PAM-1.0

auth            sufficient      /lib/security/pam_krb5.so
auth            required        /lib/security/pam_unix.so shadow try_first_pass

account         required        /lib/security/pam_unix.so

session         required        /lib/security/pam_krb5.so
Comment 3 Nalin Dahyabhai 2001-08-30 21:45:21 UTC 
This should be fixed with the current set of imap errata packages.
Note You need to log in before you can comment on or make changes to this bug.