From owner-freebsd-security  Tue Feb 20 17:55:39 2001
Delivered-To: freebsd-security@freebsd.org
Received: from assaris.sics.se (h122n4fls32o892.telia.com [213.64.47.122])
	by hub.freebsd.org (Postfix) with ESMTP
	id AA7B037B4EC; Tue, 20 Feb 2001 17:55:35 -0800 (PST)
	(envelope-from assar@assaris.sics.se)
Received: (from assar@localhost)
	by assaris.sics.se (8.9.3/8.9.3) id CAA35589;
	Wed, 21 Feb 2001 02:55:50 +0100 (CET)
	(envelope-from assar)
From: assar@FreeBSD.org
To: Robert Watson <rwatson@FreeBSD.org>
Cc: "Brian F. Feldman" <green@FreeBSD.org>, security@FreeBSD.org
Subject: Re: PAM/SSH and KerberosIV?
References: <Pine.NEB.3.96L.1010202210509.37792A-100000@fledge.watson.org>
Date: 21 Feb 2001 02:55:49 +0100
In-Reply-To: Robert Watson's message of "Fri, 2 Feb 2001 21:14:38 -0500 (EST)"
Message-ID: <5l8zn0ajfe.fsf@assaris.sics.se>
Lines: 14
User-Agent: Gnus/5.070098 (Pterodactyl Gnus v0.98) Emacs/20.6
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Robert Watson <rwatson@FreeBSD.org> writes:
> However, this seems to have broken using unique kerberos ticket filenames
> for each session -- now it always uses /tmp/tkt1000 for uid 1000, rather
> than /tmp/tkt1000_randomnumber, meaning that if you log in twice, the
> first logout hoses the tickets for the second session.  This didn't happen
> previously, and is probably an issue with pam_kerberosIV.so that I didn't
> run into previously since I always logged in via SSH.  It's probably not a
> security hole as presumably KTH does the right thing with regards to
> O_EXCL and so on, but it's not ideal.

That's what src/lib/libpam/modules/pam_kerberosIV/klogin.c does, and
yes, it should be perfectly safe.

/assar

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message