Re: PAM/SSH and KerberosIV?
From: assar@FreeBSD.org
Date: 02/21/01
- Next message: Kris Kennaway: "Re: FreeBSD Ports Security Advisory: FreeBSD-SA-01:INSERT_NUMBER_HERE"
- Previous message: itojun@iijlab.net: "Re: IPv6 risk with ssh?"
- Maybe in reply to: Robert Watson: "PAM/SSH and KerberosIV?"
- Next in thread: Robert Watson: "Re: PAM/SSH and KerberosIV?"
- Reply: Robert Watson: "Re: PAM/SSH and KerberosIV?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: assar@FreeBSD.org To: Robert Watson <rwatson@FreeBSD.org> Date: 21 Feb 2001 02:55:49 +0100
Robert Watson <rwatson@FreeBSD.org> writes:
> However, this seems to have broken using unique kerberos ticket filenames
> for each session -- now it always uses /tmp/tkt1000 for uid 1000, rather
> than /tmp/tkt1000_randomnumber, meaning that if you log in twice, the
> first logout hoses the tickets for the second session. This didn't happen
> previously, and is probably an issue with pam_kerberosIV.so that I didn't
> run into previously since I always logged in via SSH. It's probably not a
> security hole as presumably KTH does the right thing with regards to
> O_EXCL and so on, but it's not ideal.
That's what src/lib/libpam/modules/pam_kerberosIV/klogin.c does, and
yes, it should be perfectly safe.
/assar
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Kris Kennaway: "Re: FreeBSD Ports Security Advisory: FreeBSD-SA-01:INSERT_NUMBER_HERE"
- Previous message: itojun@iijlab.net: "Re: IPv6 risk with ssh?"
- Maybe in reply to: Robert Watson: "PAM/SSH and KerberosIV?"
- Next in thread: Robert Watson: "Re: PAM/SSH and KerberosIV?"
- Reply: Robert Watson: "Re: PAM/SSH and KerberosIV?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
