On 04/23/2012 06:42 PM, Russ Allbery wrote:
"Stefan Hornburg (Racke)"<ra...@linuxia.de> writes:
The upstream author commented on this:
http://sourceforge.net/mailarchive/forum.php?thread_name=cone.1335179327.95630.24095.1000%40monster.email-scan.com&forum_name=courier-users
Thanks for forwarding the bug along! Could you also pass this along?
The assumption that all resources allocated by a PAM module can be made
process resources is unfortunately not correct (as much as I wish that it
were). Due to a variety of reasons mostly related to how OpenSSH works
with privilege separation enabled, any Kerberos PAM module has to stash
the initial tickets in an external resource outside of the PAM library
data because the PAM library data is not preserved by OpenSSH between the
auth step and the session step. (Mine uses a temporary disk ticket cache;
Red Hat's uses a shared memory segment.) That external resource won't be
cleaned up properly without a pam_end call.
The lack of pam_end will also affect other PAM modules that change
external system state, such as pam_mount, although they're probably less
likely to be called in the context of Courier.
Of course, if there's a better way of handling the PAM authentication
inside ssh with privilege separation such that the temporary disk ticket
cache isn't required, I'm all ears -- I've always considered it a bit of a
hack (although less of one than using shared memory segments), and I'd
love to replace it with something else. I've just never been able to find
a better solution.
OK, I'll forward this as well. Can you please provide a patch adding the
pam_end call?
Regards
Racke
--
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
