Bug Fix Advisory pam_krb5 bug fix update

Advisory: RHBA-2008:0712-3
Type: Bug Fix Advisory
Severity: N/A
Issued on: 2008-07-24
Last updated on: 2008-07-24
Affected Products: Red Hat Desktop (v. 4)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux WS (v. 4)
OVAL: N/A

Details

An updated pam_krb5 package that fixes various bugs is now available.

The pam_krb5 module allows Pluggable Authentication Modules (PAM) aware
applications to use Kerberos to verify user identities by obtaining user
credentials at log in time.

This updated package fixes the following bugs:

* when a user or calling application supplied '""' as the value for a
user's password, and libkrb5 attempted to invoke a callback function to
verify that this was intended as a password value, pam_krb5 did not confirm
that this was the case. The resulting error was incorrectly treated as a
system-level error, rather than an authentication error, which in many
cases caused a subsequent PAM account management function to fail,
incorrectly denying log in.

* when configured to make use of externally-provided credentials, and
to convert Kerberos 5 credentials to Kerberos IV credentials, the module
would cause the calling application to crash if the externally-provided
Kerberos 5 ticket-granting ticket (TGT) was not directly suitable for
conversion.

* when configured to disable attempts to obtain Kerberos IV credentials,
and AFS was detected, the module would still attempt to obtain them, either
using an AS request, or with the help of a Kerberos 524 server. In this
updated package, the "no_krb4_use_as_req" and "no_krb4_convert_524"
options have been backported, which allows this functionality to be
disabled. For further details on these options, refer to the pam_krb5 man
pages.

Users of pam_krb5 are advised to upgrade to this updated package, which
resolves these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

Red Hat Desktop (v. 4)
SRPMS:
pam_krb5-2.1.17-6.el4.src.rpm     8bd96c898bff9ad8197f81255632389a
 
IA-32:
pam_krb5-2.1.17-6.el4.i386.rpm     91bc27c439c4ea7deff72db9bc0f3fb9
 
x86_64:
pam_krb5-2.1.17-6.el4.i386.rpm     91bc27c439c4ea7deff72db9bc0f3fb9
pam_krb5-2.1.17-6.el4.x86_64.rpm     d44e078c83c4220595777303b2449965
 
Red Hat Enterprise Linux AS (v. 4)
SRPMS:
pam_krb5-2.1.17-6.el4.src.rpm     8bd96c898bff9ad8197f81255632389a
 
IA-32:
pam_krb5-2.1.17-6.el4.i386.rpm     91bc27c439c4ea7deff72db9bc0f3fb9
 
IA-64:
pam_krb5-2.1.17-6.el4.i386.rpm     91bc27c439c4ea7deff72db9bc0f3fb9
pam_krb5-2.1.17-6.el4.ia64.rpm     41c2a64a26419afbe0b9c6f76d9489ae
 
PPC:
pam_krb5-2.1.17-6.el4.ppc.rpm     134abee6e654d69e2045bdea4823172b
pam_krb5-2.1.17-6.el4.ppc64.rpm     308ee9635a7089524abbc4429a5f6d51
 
s390:
pam_krb5-2.1.17-6.el4.s390.rpm     8f72917a85ca21bcc704ea1c20effe5b
 
s390x:
pam_krb5-2.1.17-6.el4.s390.rpm     8f72917a85ca21bcc704ea1c20effe5b
pam_krb5-2.1.17-6.el4.s390x.rpm     dd7eeb23172167e23b4de6e508637f2b
 
x86_64:
pam_krb5-2.1.17-6.el4.i386.rpm     91bc27c439c4ea7deff72db9bc0f3fb9
pam_krb5-2.1.17-6.el4.x86_64.rpm     d44e078c83c4220595777303b2449965
 
Red Hat Enterprise Linux ES (v. 4)
SRPMS:
pam_krb5-2.1.17-6.el4.src.rpm     8bd96c898bff9ad8197f81255632389a
 
IA-32:
pam_krb5-2.1.17-6.el4.i386.rpm     91bc27c439c4ea7deff72db9bc0f3fb9
 
IA-64:
pam_krb5-2.1.17-6.el4.i386.rpm     91bc27c439c4ea7deff72db9bc0f3fb9
pam_krb5-2.1.17-6.el4.ia64.rpm     41c2a64a26419afbe0b9c6f76d9489ae
 
x86_64:
pam_krb5-2.1.17-6.el4.i386.rpm     91bc27c439c4ea7deff72db9bc0f3fb9
pam_krb5-2.1.17-6.el4.x86_64.rpm     d44e078c83c4220595777303b2449965
 
Red Hat Enterprise Linux WS (v. 4)
SRPMS:
pam_krb5-2.1.17-6.el4.src.rpm     8bd96c898bff9ad8197f81255632389a
 
IA-32:
pam_krb5-2.1.17-6.el4.i386.rpm     91bc27c439c4ea7deff72db9bc0f3fb9
 
IA-64:
pam_krb5-2.1.17-6.el4.i386.rpm     91bc27c439c4ea7deff72db9bc0f3fb9
pam_krb5-2.1.17-6.el4.ia64.rpm     41c2a64a26419afbe0b9c6f76d9489ae
 
x86_64:
pam_krb5-2.1.17-6.el4.i386.rpm     91bc27c439c4ea7deff72db9bc0f3fb9
pam_krb5-2.1.17-6.el4.x86_64.rpm     d44e078c83c4220595777303b2449965
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

244641 - Problem for ssh for kerberos users with PermitEmptyPasswords yes
428439 - sshd segfaults during kerberos auth with krb4 credentials


Keywords

convert, external, prompter

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/