Daniel Willmann <[EMAIL PROTECTED]> writes: > Package: libpam-krb5 > Version: 1.2.0-2 > Severity: important
> If an application tries to authenticate a non-existing user through > pam-krb5 this application (it was CUPS here) segfaults. I attached an > example application to test this behaviour. Sorry about the delay in getting back to you about this. I believe I've tracked the segfault itself down to a bug in libkrb53. I'm rebuilding it with a patch right now to be sure. Assuming that I'm correct, though, that fix would just cause the authentication to fail without a segfault. One of the changes in the current version of libpam-krb5 is that it is more correct about verifying that the credentials acquired are really allowed to log on to the specified account. That means that it now calls krb5_kuserok in places it wasn't before (and the best information that I have from others is that the new behavior is correct). However, that has broken use of PAM to authenticate users without local accounts at the moment, and that's clearly not good. I think the right fix is to only require a local account exist when starting a session. For the authentication step, I believe we should only call krb5_kuserok if a local account exists; otherwise, we should call krb5_aname_to_localname and make sure that the result matches the target user. I'll make that fix in the next release. > Newer versions of pam-krb5 (I tried snapshot 2003.06.01) do not have > this problem any more but unfortunately this package is not in debian. Completely different, not newer, code base with its own (different) set of bugs, problems, and missing features. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
