149731 – xscreensaver bypasses PAM for Kerberos users

Bug 149731 - xscreensaver bypasses PAM for Kerberos users

Summary: xscreensaver bypasses PAM for Kerberos users

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	xscreensaver
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Ray Strode [halfline]
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-02-25 20:32 UTC by Nalin Dahyabhai
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:	4.18-19
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-02-25 20:34:14 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Nalin Dahyabhai 2005-02-25 20:32:38 UTC

Description of problem:
If a user can be authenticated using Kerberos, then xscreensaver does
not use PAM to authenticate a user who can supply a correct Kerberos
password.

Version-Release number of selected component (if applicable):
4.18-18

How reproducible:
Always.

Steps to Reproduce:
1. Configure PAM to *not* use Kerberos, using authconfig.
2. Log in as a user with a corresponding Kerberos principal in the
local Kerberos realm.
3. Lock the screen.
4. When attempting to unlock the screen, supply the user's Kerberos
password.
  
Actual results:
The screen unlocks.

Expected results:
The screen should stay locked because PAM did not okay the user.

Additional info:
This is caused because xscreensaver's configure script detects
Kerberos at compile-time, and if support for Kerberos is compiled into
xscreensaver, then xscreensaver will attempt to verify a password
using Kerberos before it will attempt to verify it using PAM.  Passing
"--without-kerberos" to configure should fix it.

Note You need to log in before you can comment on or make changes to this bug.