Red Hat Bugzilla – Bug 201
login no longer honors PAM sessions
Last modified: 2008-05-01 11:37:48 EDT
The following comment can be found in
/* There was some junk with
that was incorrect, and util-linux-2.7-11.src.rpm
a patch that makes the fork entirely useless.
If you introduce one again, please document in the
what its purpose is. - aeb */
Will someone please track down "aeb" and make him read the
PAM documentation, followed by an overview of Kerberos? I
was not amused to discover that our Kerberos tickets and AFS
tokens (similar) were being destroyed immediately because
the above brokenness invokes pam_close_session() to destroy
the tickets/tokens before exec()ing the user's shell instead
of at logout. PAM is now fairly useless for its intended
purpose except in cases where it doesn't buy one anything.
I have worked around this problem locally for AFS tokens;
the solution for Kerberos was to replace /bin/login with a
non-PAMified Kerberized version until such time as it can be
Restored the util-linux-2.7 fork/exec/wait/PAM_END.
I also added your comments and e-mail address to the source.
Fixed in dist-6.0/util-linux-2.9-4
*** Bug 1009 has been marked as a duplicate of this bug. ***
In util-linux 2.8, a piece of code of login.c was
eliminated. This code waited for the shell to end to call
pam_close_session. So, the version that comes with redhat
5.2 calls pam_close_session before executing the shell
instead of waiting for it to end and then close the session.
The bug is fixed since util-linux-2.9c
------- Additional Comments From email@example.com 02/02/99 01:24 -------
This is a duplicate of #201