- Issued:
- 2007-11-15
- Updated:
- 2007-11-15
RHEA-2007:0790 - Product Enhancement Advisory
Synopsis
pam_krb5 bug fix and enhancement update
Type/Severity
Product Enhancement Advisory
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
Updated pam_krb5 packages that address several bugs and add enhancements
are now available.
Description
The pam_krb5 module allows PAM-aware applications to use Kerberos to verify
user identities by obtaining user credentials at log in time.
These updated packages fix the following bugs:
- if the calling application correctly opened a Pluggable Authentication
Module (PAM) session and initialized PAM credentials, but read the
environment (ie for setting up a child process) before completing either
step, the KRB5CCNAME environment variable would either not be set, or would
contain a value that had become invalid. These updated packages accommodate
applications which propagate the PAM environment to child processes before
initializing PAM credentials.
- when a user who is unknown to the Kerberos server attempted to change
their password, a "passwd: Authentication failure" error occurred. A
"passwd: User not known to the underlying authentication module" error is
now returned.
- after a user attempted to change an expired password, their new Kerberos
credentials were not provided for their session. The "klist -a" command
displayed no credentials. User sessions are now correctly established with
updated credentials after changing an expired password.
- the pam_krb5 module would incorrectly attempt to validate credentials
obtained for use during a password change operation. This caused the
password-changing operation to fail when it should have succeeded. The
system log would receive a "TGT failed verification using key for XXX"
error, where XXX is the name of a service whose key is in the local
keytab file.
- when validating credentials the pam_krb5 module would open a keytab file
twice but only close it once; the extra open file descriptor was lost.
- in these updated packages the client's principal name is correctly stored
in a Kerberos IV ticket file, when the Kerberos IV credentials have been
obtained by converting Kerberos 5 credentials, which were obtained from
outside pam_krb5. For example, credentials that have been delegated to
the system from over the network during authentication.
- applications that used dlopen() to load the PAM library would fail to
authenticate with pam_krb5 due to symbol resolution problems. The module
now links directly to libpam.
- in certain situations configuring a system to authenticate using pam_krb5
caused sudo to fail. You are repeatedly asked for a password, and in some
situations a broken pipe error occurred. Note, this issue may not be
confined to the sudo program.
- pam_krb5 logged some debug messages even when debugging was disabled.
- when changing passwords the old password is not saved correctly causing a
"passwd: Authentication token manipulation error" error. Old passwords are
now saved correctly for use by other modules in the PAM stack, allowing
users to change their password.
This update also adds the following enhancements:
- new "pwhelp" option configured in krb5.conf, that allows the specified
file using "pwhelp = [path/to/file]" to be displayed when a user changes
passwords, where [path/to/file] is the text file to be displayed.
- the account management function has been modified so a "Error: account is
locked" error is returned if the Key Distribution Center (KDC) indicates a
user's account has been revoked.
- the warning message supplied by KDCs about user passwords expiring is
now displayed to the user.
- if the KDC rejected a user's new password, for example, due to failure to
meet the realm's password complexity requirements, the user would be told
that the password change succeeded, when in fact it had not. The outcome of
password changes are now checked.
All pam_krb5 users should upgrade to these updated packages, which resolve
these issues and add these enhancements.
Solution
Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188
Affected Products
- Red Hat Enterprise Linux Server 4 x86_64
- Red Hat Enterprise Linux Server 4 ia64
- Red Hat Enterprise Linux Server 4 i386
- Red Hat Enterprise Linux Workstation 4 x86_64
- Red Hat Enterprise Linux Workstation 4 ia64
- Red Hat Enterprise Linux Workstation 4 i386
- Red Hat Enterprise Linux Desktop 4 x86_64
- Red Hat Enterprise Linux Desktop 4 i386
- Red Hat Enterprise Linux for IBM z Systems 4 s390x
- Red Hat Enterprise Linux for IBM z Systems 4 s390
- Red Hat Enterprise Linux for Power, big endian 4 ppc
Fixes
- BZ - 150056 - PAM patches to /bin/su call pam_setcred after pam_open_session
- BZ - 173681 - [PATCH] pam_krb5 leaks file descriptor
- BZ - 202190 - Lots of new pam_krb5 messages after update
- BZ - 213407 - Agressive protection in pam_krb5 makes sudo fail (broken pipe)
- BZ - 227097 - missing symbols in pam_krb5
CVEs
(none)
References
(none)
Red Hat Enterprise Linux Server 4
SRPM | |
---|---|
pam_krb5-2.1.17-1.src.rpm | SHA-256: 347a082fdf7cec3b5a78f828b053afb9e95725d5c083368734a68936712c4a5a |
x86_64 | |
pam_krb5-2.1.17-1.i386.rpm | SHA-256: 6495803d8c06bd1c3d8183d65d5b841149193b14ae2db895fff4dab140ef7f6b |
pam_krb5-2.1.17-1.i386.rpm | SHA-256: 6495803d8c06bd1c3d8183d65d5b841149193b14ae2db895fff4dab140ef7f6b |
pam_krb5-2.1.17-1.x86_64.rpm | SHA-256: bc4bdf528ebaeea909866d044506842c2a94a286ee7125270c2ced05318bf0d2 |
pam_krb5-2.1.17-1.x86_64.rpm | SHA-256: bc4bdf528ebaeea909866d044506842c2a94a286ee7125270c2ced05318bf0d2 |
ia64 | |
pam_krb5-2.1.17-1.i386.rpm | SHA-256: 6495803d8c06bd1c3d8183d65d5b841149193b14ae2db895fff4dab140ef7f6b |
pam_krb5-2.1.17-1.i386.rpm | SHA-256: 6495803d8c06bd1c3d8183d65d5b841149193b14ae2db895fff4dab140ef7f6b |
pam_krb5-2.1.17-1.ia64.rpm | SHA-256: 87dbb671e0cf874d83549af28b666f71077d3a36a7af6b336ecb299049ab54d0 |
pam_krb5-2.1.17-1.ia64.rpm | SHA-256: 87dbb671e0cf874d83549af28b666f71077d3a36a7af6b336ecb299049ab54d0 |
i386 | |
pam_krb5-2.1.17-1.i386.rpm | SHA-256: 6495803d8c06bd1c3d8183d65d5b841149193b14ae2db895fff4dab140ef7f6b |
pam_krb5-2.1.17-1.i386.rpm | SHA-256: 6495803d8c06bd1c3d8183d65d5b841149193b14ae2db895fff4dab140ef7f6b |
Red Hat Enterprise Linux Workstation 4
SRPM | |
---|---|
pam_krb5-2.1.17-1.src.rpm | SHA-256: 347a082fdf7cec3b5a78f828b053afb9e95725d5c083368734a68936712c4a5a |
x86_64 | |
pam_krb5-2.1.17-1.i386.rpm | SHA-256: 6495803d8c06bd1c3d8183d65d5b841149193b14ae2db895fff4dab140ef7f6b |
pam_krb5-2.1.17-1.x86_64.rpm | SHA-256: bc4bdf528ebaeea909866d044506842c2a94a286ee7125270c2ced05318bf0d2 |
ia64 | |
pam_krb5-2.1.17-1.i386.rpm | SHA-256: 6495803d8c06bd1c3d8183d65d5b841149193b14ae2db895fff4dab140ef7f6b |
pam_krb5-2.1.17-1.ia64.rpm | SHA-256: 87dbb671e0cf874d83549af28b666f71077d3a36a7af6b336ecb299049ab54d0 |
i386 | |
pam_krb5-2.1.17-1.i386.rpm | SHA-256: 6495803d8c06bd1c3d8183d65d5b841149193b14ae2db895fff4dab140ef7f6b |
Red Hat Enterprise Linux Desktop 4
SRPM | |
---|---|
pam_krb5-2.1.17-1.src.rpm | SHA-256: 347a082fdf7cec3b5a78f828b053afb9e95725d5c083368734a68936712c4a5a |
x86_64 | |
pam_krb5-2.1.17-1.i386.rpm | SHA-256: 6495803d8c06bd1c3d8183d65d5b841149193b14ae2db895fff4dab140ef7f6b |
pam_krb5-2.1.17-1.x86_64.rpm | SHA-256: bc4bdf528ebaeea909866d044506842c2a94a286ee7125270c2ced05318bf0d2 |
i386 | |
pam_krb5-2.1.17-1.i386.rpm | SHA-256: 6495803d8c06bd1c3d8183d65d5b841149193b14ae2db895fff4dab140ef7f6b |
Red Hat Enterprise Linux for IBM z Systems 4
SRPM | |
---|---|
pam_krb5-2.1.17-1.src.rpm | SHA-256: 347a082fdf7cec3b5a78f828b053afb9e95725d5c083368734a68936712c4a5a |
s390x | |
pam_krb5-2.1.17-1.s390.rpm | SHA-256: 8dd93d02d10aa6bcca5944af15d9ea97d21fded5b71542a10355f02b9c7b2fef |
pam_krb5-2.1.17-1.s390x.rpm | SHA-256: fe2639153e1d4636b219f3f2aa5c9a1f908328f9bb638875cc7f285c79c780cb |
s390 | |
pam_krb5-2.1.17-1.s390.rpm | SHA-256: 8dd93d02d10aa6bcca5944af15d9ea97d21fded5b71542a10355f02b9c7b2fef |
Red Hat Enterprise Linux for Power, big endian 4
SRPM | |
---|---|
pam_krb5-2.1.17-1.src.rpm | SHA-256: 347a082fdf7cec3b5a78f828b053afb9e95725d5c083368734a68936712c4a5a |
ppc | |
pam_krb5-2.1.17-1.ppc.rpm | SHA-256: 0c5ae43f169b2986af187daec384d5744cc7873116f5d212e794e3be4e65809c |
pam_krb5-2.1.17-1.ppc64.rpm | SHA-256: ebab46ff5b2184544a0f65c6e0982cd2b1d7214b7f76adfca02e86a63d3120d0 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.