Fix security hole when Kerberos credential caching is enabled

The prior PAM stack configuration, while unfortunately present in many online examples, allows storing of an arbitrary cached password for non-Kerberos users by simply entering it twice
pull/1/head
Timothy Pearson 11 years ago
parent 93ce320477
commit bea400f197

@ -4087,7 +4087,7 @@ int LDAPManager::writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr) {
stream << "auth sufficient pam_unix.so nullok try_first_pass" << "\n"; stream << "auth sufficient pam_unix.so nullok try_first_pass" << "\n";
stream << "auth [default=ignore success=1 service_err=reset] pam_krb5.so ccache=/tmp/krb5cc_%u use_first_pass" << "\n"; stream << "auth [default=ignore success=1 service_err=reset] pam_krb5.so ccache=/tmp/krb5cc_%u use_first_pass" << "\n";
if (pamConfig.enable_cached_credentials) { if (pamConfig.enable_cached_credentials) {
stream << "auth [default=bad success=ok] pam_ccreds.so action=validate use_first_pass" << "\n"; stream << "auth [default=die success=done] pam_ccreds.so action=validate use_first_pass" << "\n";
stream << "auth sufficient pam_ccreds.so action=store use_first_pass" << "\n"; stream << "auth sufficient pam_ccreds.so action=store use_first_pass" << "\n";
} }
stream << "auth required pam_deny.so" << "\n"; stream << "auth required pam_deny.so" << "\n";

Loading…
Cancel
Save