TDE
/
libtdeldap
mirror of https://mirror.git.trinitydesktop.org/gitea/TDE/libtdeldap
0
0
Fork 0
Code Issues Releases Wiki Activity

Fix security hole when Kerberos credential caching is enabled

Browse Source 
The prior PAM stack configuration, while unfortunately present in many online examples, allows storing of an arbitrary cached password for non-Kerberos users by simply entering it twice
pull/1/head
Timothy Pearson 11 years ago
parent 93ce320477
commit bea400f197
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File

2
src/libtdeldap.cpp
Unescape View File

@ -4087,7 +4087,7 @@ int LDAPManager::writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr) {
stream << "auth sufficient pam_unix.so nullok try_first_pass" << "\n";
stream << "auth [default=ignore success=1 service_err=reset] pam_krb5.so ccache=/tmp/krb5cc_%u use_first_pass" << "\n";
if (pamConfig.enable_cached_credentials) {
stream << "auth [default=bad success=ok] pam_ccreds.so action=validate use_first_pass" << "\n";
stream << "auth [default=die success=done] pam_ccreds.so action=validate use_first_pass" << "\n";
stream << "auth sufficient pam_ccreds.so action=store use_first_pass" << "\n";
}
stream << "auth required pam_deny.so" << "\n";

Write Preview
Loading…
Cancel
Save