Red Hat Bugzilla – Bug 149731
xscreensaver bypasses PAM for Kerberos users
Last modified: 2007-11-30 17:11:00 EST
Description of problem:
If a user can be authenticated using Kerberos, then xscreensaver does
not use PAM to authenticate a user who can supply a correct Kerberos
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Configure PAM to *not* use Kerberos, using authconfig.
2. Log in as a user with a corresponding Kerberos principal in the
local Kerberos realm.
3. Lock the screen.
4. When attempting to unlock the screen, supply the user's Kerberos
The screen unlocks.
The screen should stay locked because PAM did not okay the user.
This is caused because xscreensaver's configure script detects
Kerberos at compile-time, and if support for Kerberos is compiled into
xscreensaver, then xscreensaver will attempt to verify a password
using Kerberos before it will attempt to verify it using PAM. Passing
"--without-kerberos" to configure should fix it.