"Stefan Hornburg (Racke)" <ra...@linuxia.de> writes: > The upstream author commented on this:
> http://sourceforge.net/mailarchive/forum.php?thread_name=cone.1335179327.95630.24095.1000%40monster.email-scan.com&forum_name=courier-users Thanks for forwarding the bug along! Could you also pass this along? The assumption that all resources allocated by a PAM module can be made process resources is unfortunately not correct (as much as I wish that it were). Due to a variety of reasons mostly related to how OpenSSH works with privilege separation enabled, any Kerberos PAM module has to stash the initial tickets in an external resource outside of the PAM library data because the PAM library data is not preserved by OpenSSH between the auth step and the session step. (Mine uses a temporary disk ticket cache; Red Hat's uses a shared memory segment.) That external resource won't be cleaned up properly without a pam_end call. The lack of pam_end will also affect other PAM modules that change external system state, such as pam_mount, although they're probably less likely to be called in the context of Courier. Of course, if there's a better way of handling the PAM authentication inside ssh with privilege separation such that the temporary disk ticket cache isn't required, I'm all ears -- I've always considered it a bit of a hack (although less of one than using shared memory segments), and I'd love to replace it with something else. I've just never been able to find a better solution. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
