Date: 21 Feb 2001 02:55:49 +0100 From: assar@FreeBSD.org To: Robert Watson <rwatson@FreeBSD.org> Cc: "Brian F. Feldman" <green@FreeBSD.org>, security@FreeBSD.org Subject: Re: PAM/SSH and KerberosIV? Message-ID: <5l8zn0ajfe.fsf@assaris.sics.se> In-Reply-To: Robert Watson's message of "Fri, 2 Feb 2001 21:14:38 -0500 (EST)" References: <Pine.NEB.3.96L.1010202210509.37792A-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Robert Watson <rwatson@FreeBSD.org> writes: > However, this seems to have broken using unique kerberos ticket filenames > for each session -- now it always uses /tmp/tkt1000 for uid 1000, rather > than /tmp/tkt1000_randomnumber, meaning that if you log in twice, the > first logout hoses the tickets for the second session. This didn't happen > previously, and is probably an issue with pam_kerberosIV.so that I didn't > run into previously since I always logged in via SSH. It's probably not a > security hole as presumably KTH does the right thing with regards to > O_EXCL and so on, but it's not ideal. That's what src/lib/libpam/modules/pam_kerberosIV/klogin.c does, and yes, it should be perfectly safe. /assar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5l8zn0ajfe.fsf>