RHBA-2009:0135 - Bug Fix Advisory

Topic

Updated pam_krb5 packages that resolve several issues are now available.

Description

The pam_krb5 module allows Pluggable Authentication Modules (PAM) aware
applications to use Kerberos to verify user identities by obtaining user
credentials at log in time.

These updated pam_krb5 packages provide fixes for the following bugs:

• when obtaining credentials for use with the Andrew File System (AFS), if

the AFS cell's name and the Kerberos realm's name differed only in the case
of the letters, the pam_krb5 module would assume that the cell name was
used as a component of the AFS service's principal name. On networks where
this was not the case, it led to unavoidable delays as the client attempted
to fetch credentials for use with a non-existent server before moving on
and guessing the correct principal name. This update adds a new parameter
to the afs5log utility that reverses the order in which it performs its
guesses in these cases. To use this new capability in the pam_krb5 module,
the "null_afs = yes" parameter should be set in the krb5.conf configuration
file. Also, afs5log can now be invoked with the '--nullafs' switch, or with
its corresponding short option, '-n'.

• when a user's password had expired, the pam_krb5 module would not prevent

the Kerberos library from attempting to change the user's password during
an authentication attempt, which was incorrect behavior for a PAM module.
In these updated packages, the pam_krb5 module does prevent the Kerberos
library from attempting to change the user's password during an
authentication attempt, thus bringing its behavior more in line with proper
Pluggable Authentication Module behavior.

• the pam_krb5.so module could not be opened using the dlopen() function

unless the calling application had linked with the libpam library. This
update links the module directly with libpam in order to avoid this issue.

• the pam_krb5 module would crash due to a segmentation fault when the

pam_get_user() function indicated success but returned a NULL value for the
user name, as could happen if a user entered the CTRL-D control code for
the password (which sends an EOF, or End-of-File, character). In these
updated packages, the pam_krb5 module treats a NULL value for the user name
when the pam_get_user() function returns successfully as an error, thus
resolving the issue.

• log messages sent to the system log were logged to the LOG_USER facility

instead of the LOG_AUTHPRIV facility. This update corrects this mistake.

• an attempt to change a non-existent user's password would fail with a

PAM_AUTH_ERR result instead of the more correct and specific
PAM_USER_UNKNOWN result. This update corrects this bug.

All users of pam_krb5 are advised to upgrade to these updated packages,
which resolve these issues.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 ia64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux Desktop 5 x86_64
• Red Hat Enterprise Linux Desktop 5 i386
• Red Hat Enterprise Linux for IBM z Systems 5 s390x
• Red Hat Enterprise Linux for Power, big endian 5 ppc
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

• BZ - 249558 - [PATCH]: use instance-less AFS service tickets
• BZ - 354291 - pam_krb5 : syslog messages
• BZ - 400611 - [RHEL 5] pam_sm_chauthtok() of rel5 pam_krb5 returns PAM_AUTH_ERR (7) if a user is not a Kerberos user.
• BZ - 402721 - pam_krb5 password changing problem
• BZ - 460998 - PAM unable to dlopen(/lib/security/pam_krb5.so)
• BZ - 467208 - SIGSEGV on CTRL+D

CVEs

(none)

References

(none)