- Issued:
- 2008-07-24
- Updated:
- 2008-07-24
RHBA-2008:0712 - Bug Fix Advisory
Synopsis
pam_krb5 bug fix update
Type/Severity
Bug Fix Advisory
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
An updated pam_krb5 package that fixes various bugs is now available.
Description
The pam_krb5 module allows Pluggable Authentication Modules (PAM) aware
applications to use Kerberos to verify user identities by obtaining user
credentials at log in time.
This updated package fixes the following bugs:
- when a user or calling application supplied '""' as the value for a
user's password, and libkrb5 attempted to invoke a callback function to
verify that this was intended as a password value, pam_krb5 did not confirm
that this was the case. The resulting error was incorrectly treated as a
system-level error, rather than an authentication error, which in many
cases caused a subsequent PAM account management function to fail,
incorrectly denying log in.
- when configured to make use of externally-provided credentials, and
to convert Kerberos 5 credentials to Kerberos IV credentials, the module
would cause the calling application to crash if the externally-provided
Kerberos 5 ticket-granting ticket (TGT) was not directly suitable for
conversion.
- when configured to disable attempts to obtain Kerberos IV credentials,
and AFS was detected, the module would still attempt to obtain them, either
using an AS request, or with the help of a Kerberos 524 server. In this
updated package, the "no_krb4_use_as_req" and "no_krb4_convert_524"
options have been backported, which allows this functionality to be
disabled. For further details on these options, refer to the pam_krb5 man
pages.
Users of pam_krb5 are advised to upgrade to this updated package, which
resolves these issues.
Solution
Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188
Affected Products
- Red Hat Enterprise Linux Server 4 x86_64
- Red Hat Enterprise Linux Server 4 ia64
- Red Hat Enterprise Linux Server 4 i386
- Red Hat Enterprise Linux Workstation 4 x86_64
- Red Hat Enterprise Linux Workstation 4 ia64
- Red Hat Enterprise Linux Workstation 4 i386
- Red Hat Enterprise Linux Desktop 4 x86_64
- Red Hat Enterprise Linux Desktop 4 i386
- Red Hat Enterprise Linux for IBM z Systems 4 s390x
- Red Hat Enterprise Linux for IBM z Systems 4 s390
- Red Hat Enterprise Linux for Power, big endian 4 ppc
Fixes
- BZ - 244641 - Problem for ssh for kerberos users with PermitEmptyPasswords yes
- BZ - 428439 - sshd segfaults during kerberos auth with krb4 credentials
CVEs
(none)
References
(none)
Red Hat Enterprise Linux Server 4
SRPM | |
---|---|
pam_krb5-2.1.17-6.el4.src.rpm | SHA-256: 11511f53a4dfb7bede1f7e6f9826b37438ede270817c7b8c7b912b1beed9265b |
x86_64 | |
pam_krb5-2.1.17-6.el4.i386.rpm | SHA-256: 4f2004fde095024ea3a310be00360186cd54bcc137d338bc178f7b9a9014adc5 |
pam_krb5-2.1.17-6.el4.i386.rpm | SHA-256: 4f2004fde095024ea3a310be00360186cd54bcc137d338bc178f7b9a9014adc5 |
pam_krb5-2.1.17-6.el4.x86_64.rpm | SHA-256: d4bdcbaec5f47839177a03faad4add9c1dde9406ac54fb19d8fb512d20fe4c99 |
pam_krb5-2.1.17-6.el4.x86_64.rpm | SHA-256: d4bdcbaec5f47839177a03faad4add9c1dde9406ac54fb19d8fb512d20fe4c99 |
ia64 | |
pam_krb5-2.1.17-6.el4.i386.rpm | SHA-256: 4f2004fde095024ea3a310be00360186cd54bcc137d338bc178f7b9a9014adc5 |
pam_krb5-2.1.17-6.el4.i386.rpm | SHA-256: 4f2004fde095024ea3a310be00360186cd54bcc137d338bc178f7b9a9014adc5 |
pam_krb5-2.1.17-6.el4.ia64.rpm | SHA-256: e7b090ce46c0e59058a32258a67c4937190507fcd16dce8f2c6ed41eae92c662 |
pam_krb5-2.1.17-6.el4.ia64.rpm | SHA-256: e7b090ce46c0e59058a32258a67c4937190507fcd16dce8f2c6ed41eae92c662 |
i386 | |
pam_krb5-2.1.17-6.el4.i386.rpm | SHA-256: 4f2004fde095024ea3a310be00360186cd54bcc137d338bc178f7b9a9014adc5 |
pam_krb5-2.1.17-6.el4.i386.rpm | SHA-256: 4f2004fde095024ea3a310be00360186cd54bcc137d338bc178f7b9a9014adc5 |
Red Hat Enterprise Linux Workstation 4
SRPM | |
---|---|
pam_krb5-2.1.17-6.el4.src.rpm | SHA-256: 11511f53a4dfb7bede1f7e6f9826b37438ede270817c7b8c7b912b1beed9265b |
x86_64 | |
pam_krb5-2.1.17-6.el4.i386.rpm | SHA-256: 4f2004fde095024ea3a310be00360186cd54bcc137d338bc178f7b9a9014adc5 |
pam_krb5-2.1.17-6.el4.x86_64.rpm | SHA-256: d4bdcbaec5f47839177a03faad4add9c1dde9406ac54fb19d8fb512d20fe4c99 |
ia64 | |
pam_krb5-2.1.17-6.el4.i386.rpm | SHA-256: 4f2004fde095024ea3a310be00360186cd54bcc137d338bc178f7b9a9014adc5 |
pam_krb5-2.1.17-6.el4.ia64.rpm | SHA-256: e7b090ce46c0e59058a32258a67c4937190507fcd16dce8f2c6ed41eae92c662 |
i386 | |
pam_krb5-2.1.17-6.el4.i386.rpm | SHA-256: 4f2004fde095024ea3a310be00360186cd54bcc137d338bc178f7b9a9014adc5 |
Red Hat Enterprise Linux Desktop 4
SRPM | |
---|---|
pam_krb5-2.1.17-6.el4.src.rpm | SHA-256: 11511f53a4dfb7bede1f7e6f9826b37438ede270817c7b8c7b912b1beed9265b |
x86_64 | |
pam_krb5-2.1.17-6.el4.i386.rpm | SHA-256: 4f2004fde095024ea3a310be00360186cd54bcc137d338bc178f7b9a9014adc5 |
pam_krb5-2.1.17-6.el4.x86_64.rpm | SHA-256: d4bdcbaec5f47839177a03faad4add9c1dde9406ac54fb19d8fb512d20fe4c99 |
i386 | |
pam_krb5-2.1.17-6.el4.i386.rpm | SHA-256: 4f2004fde095024ea3a310be00360186cd54bcc137d338bc178f7b9a9014adc5 |
Red Hat Enterprise Linux for IBM z Systems 4
SRPM | |
---|---|
pam_krb5-2.1.17-6.el4.src.rpm | SHA-256: 11511f53a4dfb7bede1f7e6f9826b37438ede270817c7b8c7b912b1beed9265b |
s390x | |
pam_krb5-2.1.17-6.el4.s390.rpm | SHA-256: 0269269fbd1251473e5f30e597497eb7d3a917c596ce5bcaaac0594b200e6c4d |
pam_krb5-2.1.17-6.el4.s390x.rpm | SHA-256: c9c6aef6879b7079a82fd6cb67933e1e631048089a802019126cbca23cfe3d9c |
s390 | |
pam_krb5-2.1.17-6.el4.s390.rpm | SHA-256: 0269269fbd1251473e5f30e597497eb7d3a917c596ce5bcaaac0594b200e6c4d |
Red Hat Enterprise Linux for Power, big endian 4
SRPM | |
---|---|
pam_krb5-2.1.17-6.el4.src.rpm | SHA-256: 11511f53a4dfb7bede1f7e6f9826b37438ede270817c7b8c7b912b1beed9265b |
ppc | |
pam_krb5-2.1.17-6.el4.ppc.rpm | SHA-256: e1e4b957c8c1b90bd94bb2544d138f48783a918c535992f0d1d2aa1d6102a2ad |
pam_krb5-2.1.17-6.el4.ppc64.rpm | SHA-256: 6b44445cf694ef66525473c6ed46e9db28758a29ce99e2fb8c379743536338c9 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.