Re: PAM/SSH and KerberosIV?

From: assar@FreeBSD.org
Date: 02/21/01


From: assar@FreeBSD.org
To: Robert Watson <rwatson@FreeBSD.org>
Date: 21 Feb 2001 02:55:49 +0100

Robert Watson <rwatson@FreeBSD.org> writes:
> However, this seems to have broken using unique kerberos ticket filenames
> for each session -- now it always uses /tmp/tkt1000 for uid 1000, rather
> than /tmp/tkt1000_randomnumber, meaning that if you log in twice, the
> first logout hoses the tickets for the second session. This didn't happen
> previously, and is probably an issue with pam_kerberosIV.so that I didn't
> run into previously since I always logged in via SSH. It's probably not a
> security hole as presumably KTH does the right thing with regards to
> O_EXCL and so on, but it's not ideal.

That's what src/lib/libpam/modules/pam_kerberosIV/klogin.c does, and
yes, it should be perfectly safe.

/assar

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message