An updated pam_krb5 package that fixes various bugs is now available for Red Hat Enterprise Linux 6.
The pam_krb5 package allows PAM-aware applications to check user passwords with the help of a Kerberos KDC.
When a client logged into a remote host using SSH with GSSAPI authentication, configured to re-delegate credentials when the client obtains fresh credentials, pam_krb5 created a new credential cache on the remote host in addition to the cache created by SSH. Consequently, the credential cache that pam_krb5 had created for the user's session would not be updated when they were renewed on the client. This update prevents pam_krb5 from creating its own cache in the scenario described, so the credential delegation mechanism is not interfered with.
Prior to this update, when a client attempted to perform a password change after using a non-password-based pre-authentication mechanism (such as a Smart Card), the pam_krb5 module would unnecessarily prompt for the user's PIN (twice). This update corrects this bug.
- BZ#720609, BZ#722489, BZ#733803
When a client, using SSH, logged into a remote host using the PasswordAuthentication mechanism, two credential caches would be created for the user on the remote host, but only one of them would be removed when the user logged out. This update no longer creates the second, redundant cache.
All users of pam_krb5 are advised to upgrade to this updated package, which fixes these bugs.